I am using ember-simple-auth for authentication in my application. I have created my custom Authenticator. Upon successful authentication, the server returns the token and expire time which I store in session storage of simple-auth.
My question is how do I expires or invalidate this session based on the expire time set in the session?
I also need to invalidate the session on browser close event.
Thanks.
You can simply call the session's invalidate method. To call that after the expiration time that your server returns you could setup a timer with Ember.run.later or use automatic token refreshing as defined in the OAuth 2.0 standard which Ember Simple Auth OAuth 2.0 supports out of the box.
Related
I've been dealing with authentication, reading and watching videos about it. I came up building my own JWT solution, based on an access_token who expires after five minutes, and a refresh_token that never expires. I stored that tokens in cookies and I use the second one to provide more access_tokens when needed. I store the refresh_token in Redis, to be able to revoke if one of those is leaked / stolen.
Nowadays, I need to move my auth system to Google Firebase in order to store my users there, and to add the Google and Facebook login as well. But I found that I need to create a sessionCookie that expires in, as much, two weeks. After that, the user is signed-out from the app and it needs to access again manually. I want to refresh that firebase sessionCookie in the correct way (automatically, server-side), but the docs say nothing about it. I came up doing my own solution again, but I believe it is not right.
I don't want to use the getIdToken method because, with that thing of custom tokens, I need to modify each of my api calls in the client side, and that's not the idea. I want to do the refresh at server-side.
So, which is the correct way to refresh the sessionCookie automatically and to keep the user authenticated permanently?
Info that I read here:
How to Refresh Firebase Session Cookie (stackoverflow)
How to extend Firebase Session Cookie Beyond 2 weeks? (stackoverflow)
Refresh Tokens (by Auth0)
JWT Auth with Node.js (youtube)
Server-side Firebase Authentication Using Express JS (youtube)
And, of course, the official docs from Google Firebase
Firebase session cookies expire in an hour, to my knowledge this cannot be modified or changed. the main takeaway should be why you would need a token to expire after 2 weeks rather than demand it on a per need basis from the Refresh token?
The solution is to generate a custom JWT token and store it online(optional) and pass it to the client. The client then uses this key for long-term authentication. this does mean that all requests would have to be validated and decoded within your backend, the only issue from there would be local caching, which can be done in several ways including standard local storage and cookies.
The flow would be: Firebase Refresh token -> Generate Firebase Auth ID Token -> Get user.uid -> Load custom JWT from storage or Generate a new jwt from the admin-sdk.
From the Admin SDK documentation with custom auth, these 3 topics are of interest.
https://firebase.google.com/docs/auth/admin/create-custom-tokens#create_custom_tokens_using_the_firebase_admin_sdk
https://firebase.google.com/docs/auth/admin/create-custom-tokens#sign_in_using_custom_tokens_on_clients
https://firebase.google.com/docs/auth/admin/create-custom-tokens#create_custom_tokens_using_a_third-party_jwt_library
The only thing to figure out is how you want to store the jwt client side.
I am trying to enforce user logout after a period of inactivity, but I have had no luck.
I have a node web application that is using Auth0 and Passport for authentication. I have set the inactivity timeout on the tenant (from the tenant settings page on Auth0) and modified the jwt expiration on the application settings page, but none of these changes have had an effect on the behavior of the application.
Other information: in the application settings, I have set this as a Regular Web Application, and I have tried Basic and Post for Token Endpoint Authentication Method.
I have followed the node JS quickstart guide that Auth0 provides, as well as one of their blog posts using express-session, passport, and passport-auth0. I am configuring express-session and passport in the order that these two posts show, so I don't think that is the issue. I am guessing that there is an extra step needed to implement this functionality, but I can't find any documentation on Auth0's site or Passport's. I am also confused as to why these values are configurable if they don't seem to have any effect.
When I manually set the maxAge value in express-session's settings, I do see the application make a call to Auth0. However, this is not based on inactivity, and that is my primary goal here.
I work with the Auth0 Community and you are able to configure this as a setting with your Auth0 Tenant as described in the below documentation:
The intent of this approach allows the session to go inactive if the
user is no longer present, but otherwise provides a means to trigger
the silent token refresh so that they can continue their session
without the need to be prompted again for credentials.
Inactivity Timer: A rolling timer should be added to the React SDK
wrapper that aligns with the maximum idle lifetime of the Auth0
session. Each time a token is returned to the application the timer
should be reset.
Timeout Modal: When the timer hits 60 seconds from expiration a
timeout modal should render requesting the user to logout or continue
their session.
Continue the session: In the case the user chooses to continue their
session the getTokenSilently() method can be used to request a new
token without needing to redirect the user from the page they are
currently interacting with.
Logging out: In the case the user chooses to logout the logout()
method should be called to assure the Auth0 session is ended as well.
Idle Timeout: In the case that the idle timeout is reached no
immediate action is necessary. To handle the fact that the user may
still be active in another tab, the behavior should not be to log the
user out.
https://auth0.com/docs/sessions/concepts/session-lifetime
I hope this helps you on your quest!
I want to achieve following using KeyCloak. how can I do it? I am using node application using keycloak-js library.
The JWT token should include a refresh token.
The JWT access time should be set to two minutes, the refresh token expiry set to one hour.
Go to Keycloak Administrative Console.
Select your Realm.
Go to "Tokens" tab.
Set desired timeout in "SSO Session Idle" param
Refresh token timeout is controlled via "SSO Session Idle" param.
Set it to 1 hour in your case.
Bear in mind that there are no refresh tokens in "Implicit flow.
I'm fairly new to token based authorization. I'm trying to find the flaws in a custom expiration/token-refresh scheme.
I have a basic JWT auth setup in an Express API; I'm setting the JWT expiration to 1 hr; However, JWT checks token expiration relative to the time the token was issued. I would prefer that the expiration time gets reset after each successful api call. If my user is actively using the app for more than an hour, I don't want them to have to log back in to refresh the token (and possibly lose whatever data they are working on.)
On the the other hand, I do want the token to expire if they are not responsive for more than an hour.
I have come up with the following approach:
During every successful API request, issue a new JWT and send it in a
custom response header. My client side code is responsible for
checking this JWT response header and using its value as the new default Authorization request header. Thus, if there is no API
request from the user for more than 1 hour, the token will expire and
not be refreshed. Login would then be required. In addition, the original issue-date of the token (timestamp of login-authentication) will be stored so that a "hard-expiration" of the token will be enforced after 24 hours.
This seems fairly straightforward and reasonably secure, but I haven't seen any reference to it in my JWT research. Is there a better way to achieve the same goal? Am I missing a major security hole with this approach?
UPDATE:
After thinking of this for some time, I realized that the problem with this is that it opens the door to replay attacks that could not be thwarted by token expiration. So there should absolutely be a "hard-expiration" check: hard expiration would invalidate the token at some time after issue date, regardless of recent user activity.
Here you can check my answer for this scenario:
implementing refresh-tokens with angular and express-jwt
What I have done is to have a time window where the server checks if the token expiration and the local server time is in this window and then send a response header with the refreshed token.
If you agree and realize that you need a hard expiry time anyhow, why not set the expiry time of the (one and only) access token to that and stick to plain OAuth 2.0? An asymptote of what you're doing now, would be to issue your own API specific token/cookie after first use of the access token (in the API response) and enforce subsequent API access based on that. That is a valid approach, but duplicates a lot of stock OAuth 2.0 Authorization Server functionality in your own API. I don't see a good reason to go there.
I'm currently using OAuth 2.0 to access the Google API. From my understanding, I should use the returned refresh token to renew the access token. Should this be refreshed before it expires or should it be when the user requests data from the api using an access token that has expired?
If it should be done before it expires, should I just be running a cron job to update out of date tokens?
I'm using node.js and mongodb, if that has any bearing on the recommended solution.
Thanks a lot!
It should be seamless.
When the user requests data from the API using an access token that has expired, this should trigger your framework to fail, renew, then retry.
No need for any cron jobs or stuff like that in the apps i've created.