I have a 0Auth2 refresh token for which I would like to know the expiry time.
Can someone point me to a tool for decoding a refresh token.
I have tried https://jwt.io, while this works for access_tokens, it would not decode the refresh token using any of the available encryption algorithms.
Related
I see most of people saying when we use refresh token to exchange for a new access token, the auth server would issue a new refresh token and invalid the previous one. Refer
OAuth Refresh Token Best Practice
But from the OAuth website
https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/
It says the auth server can "optionally issue a new fresh token in response, or if we don't include a new refresh token, the client assumes the current refresh token will continue to be valid"
So, it looks like both options (keep or renew refresh token) are acceptable to OAuth2 standard.
My questions are:
1) Do both options are equally secure?
2) If the auth server returns a new refresh token but the client fails to receive (e.g. network error), the client has no way to re-gain access token with existing refresh token, which already invalidated. Correct?
3) If the refresh token has been leaked to someone else, both the attacker and the victim client can use it. If the auth server takes the renewal approach, then only the first one to use the refresh token can re-gain access token. So, if the victim found the refresh token is no longer valid, it may think that the refresh token has been compromised. Is this the reason for the "renewal approach"?
2.) Yes, that's correct.
3.) That's correct too. You can take a look at the OAuth 2.0 for Browser-Based Apps RFC which discusses the refresh token regeneration. It's important mainly for public clients - the ones without client_secret, since a refresh token can be exchanged for an access token right away.
1.) Refresh token regeneration is a security feature - it shortens validity of a stolen refresh token and it enables the auth server to detect that refresh token had been compromised. So it's more secure to use it than not. But it may be more convenient for private clients not to get a new refresh token on each use - for example to prevent the refresh token loss due to network error - as you described it in point #2.
I have a web application written that uses the OAuth "authorization code" grant type to retrieve the initial access token, and then the "refresh token" grant type to refresh the access token on occasion.
However, a problem occurs when the OAuth server is bogged down and the request for a refresh token takes long (10+ seconds). The client will timeout the request and cancel it, but the server fulfills the request eventually. When the server fulfills the request, it generates the new access token and refresh token and simultaneously invalidates the old refresh token. The client never receives the new tokens.
Now the next time the client tries to renew it's token again (when the server is not bogged down), it's attempting to do so with an invalid (old) refresh token. Now the only way to fix the problem is to use the "authorization code" grant again, which requires manual intervention by the end user.
How do others work around this issue?
I've seen the exact same issue at a company I worked at.
The advice I gave them is not to expire/rotate refresh tokens. The Oauth protocol allows for refresh token rotation, but does not require it. In the Oauth threat model, the value and the implications are discussed, including the following note:
Note: This measure may cause problems in clustered environments,
since usage of the currently valid refresh token must be ensured. In
such an environment, other measures might be more appropriate.
The case you are dealing with is another reason (in addition to the note above) on why refresh token expiry is not a great idea.
If you have no control over that, then you have to develop some duct-tape kludge solution where you retain refresh tokens and substitute on the server side an expired refresh token for a current one. It's ugly, very ugly, but unfortunately I'm not sure there is much more you can do with this painful security control that causes more problems than what it is worth.
I'm developing a API to be used with my IOS App and I am curious on the best practice for using the refresh token in oAuth2. I am using the user password grant to generate a access token and refresh token.
If the token expires every 60 minutes then that means every 60 minutes the client will have to make 3 consecutive API calls: 1. use the access token to get the resource from the API, 2. api responds with a invalid token so we need to use the refresh token, 3. now that the token is refreshed we need to try the initial call again.
So, what I am wanting to know is if it's best to refresh the token just before it expires? Or is it better to generate a new access token once the API has responded with a expired token error?
Not sure there's a best practice as such, but it's certainly more efficient to refresh in advance as you then won't make requests that you can know will fail. The cost of the timer to refresh is much less than the cost of the network communication.
You still need handling for the token being invalid on any request as the server could invalidate the token for any number of other reasons, so this is really a 'how can I make this efficient and user friendly' than a 'can I remove some of my code' kind of thing. Handling the error response is the standard, refreshing in advance is the user friendly.
Be cautious about refreshing while you have in-flight requests and you could inadvertently cause a request to fail by invalidating its token...
I'm implementing OAuth 2.0 in my API. We're using JWTs for authentication, and refresh tokens for client-only reauthorization. Should I ask the client to also provide the userId in the body of POST /token so that they're required to know the user and the refresh token together (so you can't just try a bunch of random strings and see what works)? What's the standard?
Guessing a refresh token should not be possible if the spec is implemented correctly; https://www.rfc-editor.org/rfc/rfc6749#section-10.4 says:
The authorization server MUST ensure that refresh tokens cannot be
generated, modified, or guessed to produce valid refresh tokens by
unauthorized parties.
You must make sure that you generate refresh tokens with enough entropy so that the randomness of your refresh token would not become any different by adding the userid to it. Or to put it yet differently: guessing your refresh token would be just as hard as guessing userid+refresh token. Besides that, adding a user id in the POST would make it actually more predictable than adding a random string to the refresh token with the length of the userid.
I read the documentation in the Youtube developers website it does not talk about any validity.
Does the OAuth 2.0 standards define any validity period or is the authorization token valid till the user revokes it manually ?
The OAuth spec defines that the token should expire shortly after its granted, so will it expire after I get the
access and refresh tokens ?
And can I use this access token for all future API requests or do I need to get a new token periodically ?
I'm assuming you are talking about the authorization code, you're mixing the terms a bit here.
From the OAuth 2.0 draft:
The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED. The client MUST NOT use the authorization code more than once. If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code.
After using it once for getting the access token, you can not use it again. You also don't need to retrieve an authorization code periodically. You do this only when you have no access token for a user, but want to request his data.
Your access token some time expires. You know when by either looking at the expires_in value that got send with it, or by doing a request to the API and getting an access token expired error back. Then you can use the refresh token to get a new access token without the user being involved.
Very useful step-by-step guide about how to get access and fresh tokens and save them for future use using YouTube OAuth API v3.
PHP server-side YouTube V3 OAuth API video upload guide.
The good thing is, you do not need to worry about the expiry of the tokens, as the script in this guide checks, saves, and updates the token in a txt file for future access.
{"access_token":"XXXXXXXXX","token_type":"Bearer", "expires_in":3600, "refresh_token":"XXXXXXX", "created":000000}
We use at http://presentationtube.com and it works fine with thousands of users.