I am using a simple JWT auth firebase. backend checks if its a valid user and gives back an access token using JWT. Now I want to implement a refresh token. How can I do it? What should be the content of the refresh token? When I sign a new access token and go to protected a page but when fresh it, it go to login page again.
what should I do to also sign a refresh token? please help me anyone.
when you are generating JWT auth token generate refresh token with 1d or with no expiry time according to you requirement. After this send JWT and JWT-REFRESH token in the response of login API, after this make an API in your backend which accepts the refresh token from header or from body and in response generate a JWT token, in case of bad refresh token return 401 status code.
At client side if you are using axios, you can use axios-interceptors as a middle to detect if 401 is coming from any API, then in that case hit the refresh JWT token API to generate new auth token.
If refresh token API gives again 401 response then handle it as REFRESH token is also expire and redirect the user into login page.
Related
I need to know that if that possible to refresh the firebase access token from back-end using node.js. I can get the token from front end and I need to refresh it and verify if the token is expired.
condition : if the token expired then need to refresh it in the back-end. but the token is generating from front end.
You need the Refresh Token to get a new ID Token (Access Token). If you are using the Firebase Auth Client SDK, then it'll do all of this.
// This returns existing token if valid
// else it'll refresh the token and return an new one
const token = await auth.currentUser.getIdToken()
In case you still need to get new token in your backend server, then you can use Firebase Auth REST API.
Again, you'll need to store the refresh token in a secure place and I won't recommend doing this unless it's just for testing or you don't have any other way.
I have a React Native application with JWT authentication access to my backend.
When the user authenticates the backend returns an accessToken and a refreshToken the idea is, that both tokens are stored in AsyncStorage along with the expirationTime stored for both tokens.
Right now the implementation is so there is a setTimeout function that checks if the token is about to expire and uses the refreshToken to update the accessToken.
This made me wonder how much of a security upgrade it is using refreshTokens.
If both are stored in AsyncStorage (on the client), both could be accessed, what is the point of having the refresh token?
If an attacker got access to the client storage, they could simply update the access token with the refresh token?
I am building SPA app with its rest API and I cannot find information when I should refresh JWT using refresh token. Should I do this when I will receive 401 HTTP status from server (JWT expired) or for example every 15 minutes if possible (before JWT will expire)?
I'm not a security expert, but as far we know, we
1- login and save the received token
2- we put one interceptor that check every response (in angular it's easy, in react we usually use axios ...etc)
3- we check every response in the interceptor, if the response was 401 and the expiration date from the token has passed, we send a refresh token request and save the new token
to check expiration date you can use a library that decode the token like: jwt-decode on npm, (don't forget to wrap the process in try...catch in case somebody screw with the token) and you even can paste the token in https://jwt.io/ and see for your self the decoded token and check the expiration date.
4- repeat the last request with the new token should succeed.
5- if for example even the refresh token request failed, simply redirect the user to the login page
If the server is sending a proper error code in case of access_token expired then you can intercept the error code on the client-side and use the refresh_token you got earlier during authentication to get a new access token. You can repeat this process again and again until your refresh token gets expired. On that occasion, you should redirect the user to perform the authentication to get both the tokens.
Since an access_token has a short life period, for the users' convenience a refresh_token is used.
Let's imagine we have client side mobile iOs/android app. After the first login when the user provides his username and credentials then the subsequent request is sent to the server side which respond with access and refresh token.
But what if 1 minute left before access token expires or it has already expired. Should verification process be on the server side?
Server get a request (gateway proxy as example), read auth token from header, verify expiration time, under the hood update token if refresh token is present (in header as example), modify initial request and proceed with newly created access_token?
Or this kind of iterations should perform client app? On each request validate expires_in date and if so ask for a new access_token using refresh_token grant type and only after this make a remote call?
According to OAuth, when your initial token expires, depending the situation, you should refresh it by sending the refresh_token value to the respective server endpoint. Server does the refreshing operation generating a new token so you get a new token with a new expires_in date. You get many options on how you should send the refresh the token by the client, for example:
Having a timer and send the refresh action before token expiration.
If you have a 401 status error.
I would suggest you coding a HTTP interceptor and when a response get a 401 code, you should send the refresh action.
I'm using Oauth2 to handle authentication in my system. While the authentication works, I'm worried about the security of my refresh token endpoint. The front-end calls this endpoint to get a new access token after it expires.
My question is how would you prevent someone from calling that endpoint and getting a new access token? Would you use the access token to authenticate yourself? At the moment I'm using these tokens to authenticate API calls on a separate service.
The endpoint currently supports csrf, but that's probably not enough.
Thank you!
The refresh token is used to get the new access token. That is where the authentication happens.
You can decrease the time that a refresh token is valid.
You can also choose if you want the refresh token to be renewed or not with each call to refresh the access token.
Unauthenticated clients cannot call the refresh token endpoint and get a new access token.