I am trying to implement JWT authorization.
I have red some articles that write that we shouldn't store jwt token in the database. If It is true I have the following question How should we refresh token and how we can logout user? In simple oauth authorization I have the the following database structure and store all info about authorization in it.
| user_id | access_token | refresh_token | exprired_date |
And If I want to refresh token I just see that refresh_token in request is valid and just generate new pair access and refresh tokens and if I want to logout user I just remove token from db. But How can I do all this operations with JWT token If we shouldn't store it into db.
Related
Currently I am using /token endpoint to obtain an access token, an ID token (by including the openid+offline_access scope), and a refresh token for the Authorization Code flow. The value for code is the authorization code that I receive in the response from the request to the /authorize endpoint.
Also to refresh access token as well as an ID token, I am sending a token request with a grant_type of refresh_token.
Below is the reference link, I am trying similar to implement in my custom OIDC application.
https://developer.okta.com/docs/guides/refresh-tokens/main/#renew-access-and-id-tokens-with-spas
Does it suppose to return both refresh_token and id_token OR both are optional if grant_type=refresh_token (also in token endpoint openid+offline_access scope added) in OpenID Connect concept?
Below is the link I am trying to understand.
https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens
When you use the refresh token, the purpose is to get a new access token. Optionally, depending on the backend configuration, you might get a new refresh token as well (if you use a one-time refresh token setup).
You never get a new ID-token back, the ID token is usually a very short-lived token (like 5 minutes) and its main purpose is to describe how the user is authenticated and who it is. The main purpose of the ID token is to create the local session (typically a session cookie), after that the ID token has no real use.
I need to understand why refresh token issued by AAD is not in JWT format( i used Auth Code grant type for generation of refresh token). It looks something like as follows 0.ATYAoWHs1YRqUk-OAYpDkwKjaYAEJhrbDpBNmWw7q0NZVas2APk....(rest of the token).
Also if we can get this refresh token in JWT format then how can we do that.
Thanks
Abhishek
It isn't in JWT format because it does not need to be.
A refresh token is data that you send to the identity provider to get new access tokens.
It should not have any other meaning for your application.
Store it securely and send it to AAD when you need new tokens.
Then take the new refresh token you get in the response and overwrite your previous refresh token with that.
The OAuth 2 RFC also talks about it https://www.rfc-editor.org/rfc/rfc6749#page-10:
A refresh token is a string representing the authorization granted to the client by the resource owner. The string is usually opaque to the client. The token denotes an identifier used to retrieve the authorization information. Unlike access tokens, refresh tokens are intended for use only with authorization servers and are never sent to resource servers.
I am using jwt token with spring security.
After successfully generating the token on login and passing it to my Reactjs application in localStorage object. I have one problem that on logout I delete the token but still using the same token I can hit secured api through Postman.
Since I know that token is not expired but is there any way that I can re-issue new token if the user keeps on interacting and I keep the expiry very small like 5 minutes.
There are two solutions:
1: Re-issue new token after every api response and update the token in the localstorage object of react app using a filter
2: Save all issued token in a repository/cache or in memory then delete token from this repository on logout. While validating the JWT token add one more check to see if the token exists in the repository.
Is it a bad idea to use the access token also as refresh token? For example when
the access token is expired, use the current access token to generate a new token with updated token information (roles, exp time, ...).
I am implementing the authorization and authentication flow for an API. I was thinking of two-legged OAuth (as the API is only going to be used by us, not third-party applications). But I found some problems regarding to tokens and their expiration periods.
I would request an access_token to /ouath/token with the username and password of the user. This endpoint should return an JWT as access_token.
Next requests to the API will use that JWT to authenticate the user.
JWT's are supposed to expiry in a period time (1 day for example). I have read I need to implement a refresh endpoint in which the app could refresh the JWT in order no to ask the user for username and password every day.
So, ¿how could I generate that refresh_token? JWT's don't need to be stored in the DB (because of the crypto behind them) but, ¿refresh_tokens shoul be stored?
Thanks in advance
You could implement it either ways, both have their pros and cons.
send the refresh token as a JWT with longer expiry date.
can't revoke the refresh token when needed
do not need a DB to store the token
send as a random token and store it in DB and associate with user and client.
you can revoke the refresh token whenever you want
you will require a DB to store the token