I configured my realm.
Token configs in real settings
And I get jwt token:
JWT token with exp date
It look like I could make a long lifespan token. But it exripes anyvay.
Is it possible to make a token that never expires?
Related
History
Sessions-Cookies Age: As I know JWT use for decrease DB requests. sessions are normally stores in DB and all request need query to authentication the request. In small website and web app it's not a problem but in big apps performance is very important.
JWT Rise: With JWT you can skip this step (query to DB for authentication) and can use valid JWT that's signing with your server. You should send JWT token in all request in header but if this token is stolen the thief can use it to authenticate forever.
To protect this you can add expire time in your JWT but before expire time the thief can use this as user can. Now you can decrease expire time (for example 10 mins) to protect users but after expiring the token real users should login with user and password and this is a nightmare.
The Refresh Token is born: Now we can mixed JWT with cookie concept. refresh tokens are store in DB and you can control this by login and logout. after access token (a JWT token with short age) expired clients sends request to some end point to refresh access token in this end point sever check the DB and search for refresh token. if refresh token in White list (or not in black list) the sever generate new access token and return to clients. Now you can store access token in memory and refresh token in local storage or somethings like this.
XSS attack: local storage is not safe and with XSS attacks hackers can steal your local storage.
httpOnly cookies: You can store JWT tokens in httpOnly cookies. httpOnly cookies set from server and clients can't access this from JS.
CSRF attack: New problem with httpOnly cookies is CSRF attack. CSRF attacks come from sessions-cookie age.
My approach
Refresh tokens is very similar to cookies and now we are using cookie and JWT together access token is traditional JWT token and Refresh token is traditional session's token. every 10 mins (JWT age in my example) we are login with refresh token (or session's token) and between them we use access tokens.
If users send 100 request every 10 mins my DB request for authentication decrease 100x
NOW My Question
Did I understand how to use the JWT?
Nice explanation, I think you understand it well.
To add to your explanation, you may want to rotate the refresh tokens: after a refresh token is used to obtain a new access token, return a new refresh token and invalidate the old one. This would prevent someone who gained access to the old refresh token from using it.
I am hearing continously token name of different type. Can anybody explain me different type of token with some example.
Access token
Refresh token
Oauth Token
Bearer token
JWT token.
Please forgive me if my question is incorrect. I am highly consfused so looking for the answer.
Right, terminology can be very confusing. OAuth2 is the protocol to allow a client to get an access token to access the user's data on a resource server. The protocol is token agnostic (meaning it does not specify how the token looks). So OAuth token and access token are used interchangeably.
Often, the access token used in the protocol is a structured token in the JSON Web Token (JWT) format. It contains claims (name-value pairs) with info about the user and authentication that the resource server can use.
A bearer token is any token that can be used as the sole way of authenticating. If you have the token, you get access as the user for which it was issued. Nothing else required. OAuth2 typically uses bearer tokens, although some holder-of-key tokens (where you need to prove you acquired the token by signing something) are being added to the protocol. JWT tokens are usually bearer tokens.
Refresh tokens are used in some OAuth2 protocol flows to allow the client to get a new access token when the issued one expires without asking the user to log in again. They are typically just an identifier to some row in the data store of the authorization server.
My understanding is that upon successful login Cognito provides my service three tokens for a user, access, ID and refresh. In order to verify a token I'm using jsonwebtoken (jwt.verify(accessToken, pem)). This is all fine, I'm able to verify a token and obtain a new access token with my refresh token if it's expired.
However, my accessToken is valid for one hour. If I want to revoke all of a users tokens using cognitoUser.globalSignOut(), that token will pass my JWT verification using the JWT library for 60 mins as that is all done server side.
Is there a way to send a token to AWS Cognito and ask "Hey is this Token still valid?"
This thread might help you understand how a call to globalSignOut() affects the validity of the 3 tokens.
Is it possible to revoke AWS Cognito IdToken?
Cognito does not have an API to check the validity of the token. You will have to call one of your APIs and check if the call was successful or not.
Keycloak refresh token expiry is tied to SSO timeouts. If SSO Session Idle is set to 30 minutes, the refresh token will only work for 30 minutes. Session Idle can only be as large as Session Max, therefore the lowest of both is taken as the max refresh token life. How to specify the Refresh token expiry separately as we have for the access token? If the refresh token expires do we need to get another refresh token. Ideal refresh token expiry time?
A client application uses the refresh token to get a new access token without user interaction. It should do so before, or shortly after the access token expires. It will then receive a refresh token which is again valid for 30 minutes (Keycloak Session Idle Timeout). The client can repeat until the Session Max timespan is over.
As a client don't let the refresh token expire:
If the refresh token has expired, the client needs to direct the browser to the authorization endpoint. To prevent this, your application should use the refresh token when the access token gets invalid. Even better: Schedule a refresh for the time before the access token expires.
Scope offline access
As an alternative, the client could request scope "offline access". In this case, the refresh token lifetime is not bound to the SSO Session idle and Max settings.
For details see https://www.keycloak.org/docs/latest/server_admin/index.html#_offline-access
I need the IdentityServer3 session to expire at the same time as the access token. When the access token expires the user is being redirected to IdSvr it's just automatically issuing new Id and Access tokens. I want to force the user to authenticate again when the access token expires. I'm using the Implicit flow so I don't believe refresh token lifetimes come into play. I'm also using the OIDC-client-JS library.
Your approach doesn't make sense -- what would happen if there were 2 different access tokens?
The better approach is from the client to pass the prompt=login or max_age parameter on the authorization request. See the docs for more info: https://identityserver.github.io/Documentation/docsv2/endpoints/authorization.html