Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed last month.
Improve this question
What is best practice in refreshing an available access token?
Should I have receive access token in refresh token request body? Is it secure to receive ONLY a refresh token in request of refreshing token?
It is best practice to refresh access tokens using a refresh token. This allows the access token to be refreshed without requiring the user to provide their login credentials again. The refresh token should be stored securely by the client and used to request a new access token when the original access token expires. It is generally not necessary to include the original access token in the request. The client should simply send the refresh token and any necessary authentication credentials.
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 5 days ago.
Improve this question
I'm unable to find a concrete solution in any forums to configure an app where users can sign in with their Microsoft accounts when using a separated backend API (Python FastAPI) and frontend UI (React.js).
I want to a user to click login in the frontend where they are redirected to the Microsoft login page. They enter their details are then logged in. This login state should remain present until logout or expiry of the refresh token.
My app is concerned with visualising information for each user, which uses data stored in a separate neo4j database and is not pulled from Microsoft Graph API. I just want to allow a logged in user to edit the data in the neo4j database that is linked to them, most likely using their username as a unique identifier. Eventually it might be nice that I can pull user related info from Graph API for visualisation.
I don't want to set up a separate user or session database as I want to keep costs low.
What is the recommended way to configure this type of application?
I would like to have all authentication controlled by my FastAPI backend. I have set this up so far as follows:
User clicks login button in frontend, which triggers call to login endpoint in backend.
login endpoint redirects to authorization url using a ConfidentialClientApplication from msal library
User enters their credentials and the Azure AD app is registered to redirect back to a callback endpoint
callback endpoint uses the code from the request parameter to acquire an access token and refresh token
From this point on, I'm unsure how the user can remain authenticated while keeping the connection secure. My current approach is as follows:
Access token and refresh token are stored in response.cookies with http_only set to True to prevent JS-based attacks
Every time the frontend makes a subsequent request, a FastAPI Depends function is called that takes the access token and requests the current user information from https://graph.microsoft.com/v1.0/me using the access token in the Authorization header. If it fails then user needs to log back in.
I'm not sure how I can use the refresh token to get a new access token if the old one expires. If I can't do that then the user will have to log back in quite regularly.
Multiple users might be using this API at once so there will be multiple accounts associated with the ConfidentialClientApplication aka msal_app here. One approach might be that the username is stored in the request cookies and I can get the account from account = msal_app.get_accounts(username="foo") then use msal_app.acquire_token_silent(account=account) to refresh the token. However doesn't that mean anyone with access to my API could just use a username to access someone's data who is already authenticated?
Is it bad practice to send the access token to the frontend as an authenticating identifier?
Should I be generating the access token in the frontend and then my API acting as an "on-behalf-of" client? That way the msal caching using refresh token occurs in the frontend. This means I would need my client secret in frontend and I would need to cache my tokens there though, which I was under the impression is not as secure. Is this true?
I am design the app auth api with auth2.0, now I found some companies set the refresh token expire with 10 years! why design like that? it is a good practice? how long should I set the refresh token expire time?
I found the google oauth 2.0 refresh token never expired for native app: https://developers.google.com/identity/protocols/oauth2/native-app
It all depends on how often you want to to force the user login again and reauthenticate.
In some system you want the user to do this more often and in a system with for example 10 years refresh token, you don't want the user to have to login again after the first successful authentication.
It's a bad idea to set the liftime of refresh_token to 10 years like that you have a big security problem, the best implementation of refresh_token is when it is used the first time it should be revocked or a lifetime not much than access_token.
see my other answer here
Is there a way to update the current Jwt token expiration time on event? I have a modal that warn the user their token is going to expire and they need to click a button to extend that time. Is there a way to extend the current Jwt Token expire time without t he use of a refresh token or on event?
You cannot update an existing token you would've to generate a new token everytime.
This question has already been answered here
I am confused with access_token and id_token of OIDC, which one should be set to authorization header when making request to a resource owner? Is the id_token only for client to display user information without making request?
I think similar question is answered by ajaybc here - https://stackoverflow.com/a/19443840/4794396.
To say, id_token is required for the authentication of the user. And access_token is mandatory for reaching out to the end-point.
PS: Couldn't leave a comment as I haven't got 50 reputations yet.
According to the documentation here:
https://developers.google.com/accounts/docs/OAuth2WebServer#offline
Requests with access_type=offline in the querystring should grant a permission to access data while the user is offline and result in google sending a refresh token when the user accepts. This is no longer happening as of a few days ago. Does anyone know what changed or if there is a better way to go about getting an access/refresh token?