Is it a bad idea to use the access token also as refresh token? For example when
the access token is expired, use the current access token to generate a new token with updated token information (roles, exp time, ...).
Related
The GitLab access_token has an expiry time of 2hours, similarly does the refresh_token also has some expiry time?
Because sometimes, when I use the refresh_token to get new access_token it throws invalid_grant error.
I am thinking refresh_token does not have any expiry_time.
I am thinking refresh_token does not have any expiry_time
Indeed but they are linked to access_token.
In "Supporting Expiring OAuth Access Tokens for GitLab", GitLab explains:
How do you handle expiring tokens?
Once a token has expired, your API requests will fail and you will be
prompted by GitLab to generate a new token.
To do this, you must make another request to GitLab’s OAuth endpoint.
Much like the initial link, you must provide your application’s Client
ID and Client Secret, but instead of passing the linking code, you
will pass in the user’s refresh token.
This will invalidate both the existing access token (if it is still valid) and the refresh token you just used, and return a new
access token and refresh token.
The access token will be valid for another two hours. You will need
to store the new refresh token, as this token will be used the next
time you request a new token.
As we know that access token gives the client to access resources from resource server, I would like to know the contents and the process that happens with refresh token to get new access token.
I was tryging to experiment how oauth2 works, but got stuck at what refresh token does.
I would like to know the contents and the process that happens with
refresh token to get new access token.
Refresh token are generally opaque token (random unique string).
Refresh token is used to get new access token from the Authorization Server. Refresh tokens typically remain valid for longer time as compared to access token. In a typical client-server flow, when the access token expired, server reject the request then client uses the earlier obtained refresh token to get a new access token from Authorization Server. By doing so authentication between client and server remain uninterrupted and no re-authentication needed. Once the refresh token expired, client has to go through the complete authentication flow which usually require user intervention.
If I refresh an OAuth2 access token, is the current (old) token valid or invalid? Will the old access token valid until it receive its expired time?
In my applications there are multiple threads that use the same access token parallel. If the access token is going to its live end, for example there is only a minute until it expired, then one thread request a new access token with an refresh token.
Does I need a read lock on the access token to prevent a refresh on using the access token?
I need to understand why refresh token issued by AAD is not in JWT format( i used Auth Code grant type for generation of refresh token). It looks something like as follows 0.ATYAoWHs1YRqUk-OAYpDkwKjaYAEJhrbDpBNmWw7q0NZVas2APk....(rest of the token).
Also if we can get this refresh token in JWT format then how can we do that.
Thanks
Abhishek
It isn't in JWT format because it does not need to be.
A refresh token is data that you send to the identity provider to get new access tokens.
It should not have any other meaning for your application.
Store it securely and send it to AAD when you need new tokens.
Then take the new refresh token you get in the response and overwrite your previous refresh token with that.
The OAuth 2 RFC also talks about it https://www.rfc-editor.org/rfc/rfc6749#page-10:
A refresh token is a string representing the authorization granted to the client by the resource owner. The string is usually opaque to the client. The token denotes an identifier used to retrieve the authorization information. Unlike access tokens, refresh tokens are intended for use only with authorization servers and are never sent to resource servers.
I'm looking into Oauth2 to allow developers to authorize users of their app to use my service. I've found a few sources that say that my Authorization Server should return an access token when a user sends an assertion (JWT in my case) but that it should not return a refresh token. I'm wondering what the harm is in returning a refresh token. Developers could invalidate refresh/access tokens by calling an Api that invalidates any access granted from a particular JWT's id.
That recommendation is not correct. Refresh tokens are optional and can be issued at the discretion of the Authorization Server after client presents the authorization grant. See Oauth2 specification
1.5 Refresh tokens
Refresh tokens are credentials used to obtain access tokens. Refresh
tokens are issued to the client by the authorization server and are
used to obtain a new access token when the current access token
becomes invalid or expires, or to obtain additional access tokens
with identical or narrower scope (access tokens may have a shorter
lifetime and fewer permissions than authorized by the resource
owner). Issuing a refresh token is optional at the discretion of the
authorization server. If the authorization server issues a refresh
token, it is included when issuing an access token (i.e., step (D) in
Figure 1).