Just implemented an OAuth2 authentication with AWS Cognito and came across this issue:
I am re-generating an id_token with my refresh_token using this endpoint:
/oauth2/token
grant-type: refresh_token
but when my refresh_token is expired, I don't want the user to go through the login process again.
Is there any way of "refresh the refresh_token"?
Also, I don't want my refresh_token to have infinite (or 9999 years) of validity time.
What should I do?
Thank you.
No you cannot get a fresh refresh token without having the user sign in again. That's the whole point of a refresh token. You can have a refresh token for a reasonable time like a month and then forcefully invalidate it if user signs out though.
Related
Recently I am learning oauth 2.0, and all the docs said that when the refresh token invalid or expired and let the user to relogin. To my experience to use the apps, no apps need to relogin again after the first login. how did they do that? store the username and password and refresh the refresh token with the username and password? set the refresh token for a long time(for example, set the refresh token 5 year to expired)?how did they do that?
this is what we could silent refresh, when the client connects the first time, the token is refreshed in the background with the refresh token before the token expire, and for your refresh token, you don't need long lifetime you need just to keep the latest one.
see my other answer here
In my web application I am using access and refresh tokens to authorize user access to protected resources, the flow is as following:
The user, through a mobile app, sends a request to the "auth/token" endpoint providing his credentials. The server authenticates the user and issue an access and refresh token. The refresh token is saved in a whitelist to be able to revoke it later on, if necessary.
Upon access token expiration, the mobile app sends the refresh token to the "/token/refresh" endpoint presenting the refresh token. A new access/refresh token pair is created and the old refresh token is invalidated ,implementing in this way the token rotation.
Now the problem:
Let's say that the client refresh the token but never receive a response back from the server because the network is lost. After 30 mins the client tries to refresh again but its token is now invalid and the user is logged out. In the Oauth implementations we can set a time for the old token after which this will be invalidated, giving the possibility to the mobile app to resend the same refresh token if any problem occurs. But I do not think this is a solution because we can't be sure of when the mobile client will retry to refresh the token. It can be in some minutes, hours or worse also days.
How do you approach this problem?
The first solution I could think of is increasing expiration time.
I have implemented openid connect authentication using azure active directory in my website. The session expires every 1 hour. So the user is logged out, and redirected back to the login page. While analyzing based on it, i have found a solution in the below link, to use UseTokenLifetime = false
https://github.com/aspnet/Security/issues/147
Will this fix my issue? or is there any chance of increasing the session time?
Thanks in advance
Dinesh
Read here to learn more about Configurable Token Lifetime
In general, access tokens have a very short lifetime. This is intentional. Your web application should be using the refresh token which comes with your access token to acquire new access tokens once the original one expires.
When you get an access token and refresh token (assuming all default settings), the access token will last up to one hour. The refresh token will allow you to get a new access token + refresh token pair for up to 14 days. The new refresh token you get will last another 14 days, allowing you to chain new access tokens up to a total of 90 days, where you will need to eventually ask the user to sign in again.
You have the ability to configure token lifetimes such that your "refresh token chain" will never expire, however any individual access token or refresh token will eventually expire.
We are working on a project that uses Asana's API for integration. When a user authorizes the app to use Asana, we get the access token which is valid for an hour. In addition to that we also get a refresh token that can be used to renew the access token in future.
Could you please let us know how long will that refresh token stay valid for?
Refresh tokens are valid for 10 years, or until the user explicitly revokes the authorization.
I'm using oauth2 on a web server and the flow works flawlessly (https://developers.google.com/accounts/docs/OAuth2WebServer).
However, I have some situations in which I need to re-acquire a refresh_token (let's say for example that the refresh_token has been "lost").
In this case when I go through stages 1&2 again I only get an access_token and not a refresh_token.
If the user revokes permission through his google account console and goes through stages 1&2 again I will get a new refresh_token.
Is this known oauth2 behavior? is there a way to force a new refresh_token or getting the same one again?
From https://developers.google.com/accounts/docs/OAuth2WebServer:
Important: When your application receives a refresh token, it is important to store that refresh token for future use. If your application loses the refresh token, it will have to re-prompt the user for consent before obtaining another refresh token. If you need to re-prompt the user for consent, include the approval_prompt parameter in the authorization code request, and set the value to force.
Butter Answer is here. You have to add parameter approval_prompt=force in your post request for token.