currently i'm working on hardening the security of Vaadin project and stucked in the CSRF token, the main idea is that i have sessionID before the user login and change the SessionID after successful login to avoid session fixation, the same procedure i would like to make for the CSRF -aka XSRF- token currently i have CSRF token before the login and it remains the same after a successful login which is wrong !
now i want to reinitialize the CSRF token to new value after the successful login, my question is How to change or reinitialize the token after the successful login?
Related
I am using jwt token with spring security.
After successfully generating the token on login and passing it to my Reactjs application in localStorage object. I have one problem that on logout I delete the token but still using the same token I can hit secured api through Postman.
Since I know that token is not expired but is there any way that I can re-issue new token if the user keeps on interacting and I keep the expiry very small like 5 minutes.
There are two solutions:
1: Re-issue new token after every api response and update the token in the localstorage object of react app using a filter
2: Save all issued token in a repository/cache or in memory then delete token from this repository on logout. While validating the JWT token add one more check to see if the token exists in the repository.
I want to create the single page application with token based authentication with Auth0.
My authentication use case is:
1.) Insert the username and password
2.) Get the token from Auth0 server with expiration time perhaps 6 hours
3.) In javascript side I check the expiration time of current token
4.) If the token will be before its expiration I call the function renewIdToken via Auth0.js library. It is HTTP POST to the delegation endpoint of Auth0 server.
auth0.renewIdToken(current_id_token, function (err, delegationResult) {
// Get here the new delegationResult.id_token
});
https://auth0.com/docs/libraries/auth0js
5.) If the token will be expired then I redirect to the loginpage.
Is secure be able to renew the token via HTTP POST from anywhere?
What's happend if the user lost the token and attacker can use this token forever because is easy to renew it and the token is not possible revoke.
This scenario is without refresh token, I only work with token.
I read some topics where is not recommended use the refresh tokens in the SPA scenario.
I have an Asp.Net MVC 5 web application that uses OpenId Connect via Azure AD to manage user authentication. I think I understand that once authenticated, the auth token is valid for one hour at which point the OWIN middleware will handle refreshing the auth token in the background without the user having to be redirected to the login page and re-enter their username/password. I have observed this by watching the address change in the address bar of the browser after the auth token expires.
My problem is that I have form that users stay on for a long time (60+ minutes) while they are doing interviews and entering in data. The auth token expires and when the user tries to submit the form the auth token refresh happens in the background and the form is never posted to my application. Instead, the view is refreshed (from the HTTP GET that happens after the auth token is refreshed) and the user loses all of the data they've collected over the last hour.
Is this the expected behavior or do I have something configured incorrectly?
I'm working on an iOS app which uses login via linkedin. I'm using a web view for the user to login and getting the token from linkedin. If i understand it correct, The token which i received is valid for short period and hence i need to make a call to linkedin with the existing token to get a new token with the extended period. Can you please let me know what api I should call to refresh the token to get the new token with the extended validity?
I'm currently using https://github.com/jeyben/IOSLinkedInAPI
According to LinkedIn there is no direct API to call to refresh a OAuth 2 token. What's supposed to happen is if:
The user is logged into LinkedIn
They have a current (less than 60 days old) token
pointing them to the authentication url will trigger a refresh of their token, without needing the user to log in.
In using the iOSLinkedInAPI library, this didn't seem to be the case.
What I figured out was, the authentication flow wasn't generating a login session cookie from LinkedIn in the iOS simulator or on a device, so requirement 1 was never being met.
You need to have the user login through the regular LinkedIn login page, and this gets you that session cookie, which you can cache. After you send the user to authenticate your app, you can load that cached cookie into the NSHTTPCookieStorage sharedHTTPCookieStorage each time you want to call the authentication URL to refresh the user's token.
I created a helper class with an example if you want to check that out:
iOSLinkedInTokenAuthorizer
I'm using the Doorkeeper gem to provide OAuth in a Rails app. The client is a Chrome extension.
I have 'use_refresh_token' commented out in doorkeeper.rb, and 'access_token_expires_in' set to 1 minute. I thought that would force the client to re-auth after a minute. But re-auth is happening automatically, regardless of whether use_refresh_token is present or not.
With use_refresh_token present, a new row is added to 'oauth_access_tokens' every time the access token expires. No new row is added to 'oauth_access_grants.'
With use_refresh_token commented out new rows are added to both tables. Which I would expect if the client was manually re-authing. But it appears to be happening automatically--the user is granted access without having to re-auth the app through the OAuth login screen, as I'd like.
Apologies for my ignorance, I'm new to both Doorkeeper and OAuth and haven't found any clues on Google et al.
The OAuth 2.0 is working as it is sending authorization URI to authorize url to get the access token and while the user is not authorized to get token the server redirect him to login page, I think the point in your case that the expire in time is too short so the session opened when user entered username and password for first time still valid so when your client asking for new token it is getting it as the user is still loged in on the authorization server, you can change the time of session to be less than the token validity time and test it.