Menu
I'm making SPA, and decided to use JWT for Authentication/Authorization, and I have read some blogs about Tokens vs Cookies. I understand how cookie authorization works, and understand how basic token authorization works. The problem is, I don't see how refresh token fits into it, seems to me it decreases security. Let me explain, as I see it:
When you authenticate user via username & password, you create session ID associated with that user. And set it as cookie, every time that client calls to your server it sends that cookie, and server can look up associated user in database or some other server side storage.
This approach is vulnerable to CSRF (Cross Site Request Forgery) To prevent CSRF You can use tokens with cookie
Server also needs to constantly look up storage to see to what user, the cookie points.
When you authenticate user via username & password, you create a signed Token, with expiration date, email address or userID, role, etc. in payload. For security tokens should have short expiration time. Tokens can be stored anywhere Local storage, Session storage, cookies. I will be using local storage, or session storage, to prevent XSRF.
So I want to use Refresh tokens to prevent user from needing to login constantly. So lets say on Authentication, I give user Access token and Refresh token, when users Access token expires, user can use Refresh token to get New Access token, This is what I don't get.
Currently I'm thinking about using:
Let's say it looks like this:
+--------+ +---------------+
| |------------ Authorization Grant --------->| |
| | | |
| |<--------------- Access Token -------------| |
| | & Refresh Token (cookie) | |
| | & XSRF Token | |
| | | |
| | | |
| |--------- Access Token ------------------->| |
| | | |
| |<----- Protected Resource -----------------| |
| Client | | Server |
| |--------- Access Token ------------------->| |
| | | |
| |<----- Invalid Token Error ----------------| |
| | | |
| | | |
| |---------------- Refresh Token ----------->| |
| | & XSRF Token | |
| | | |
| |<--------------- Access Token -------------| |
| | & XSRF Token | |
+--------+ & Optional Refresh Token +---------------+
Server would issue new XSRF Token every time Refresh token is used(after one XSRF token is used it stops working and server issues new one). What you think about this implementation ? In my eyes this limits server lookups to database, as it uses access tokens, access tokens is short lived, and user don't have to login constantly as it uses refresh token/cookie witch is protected by XSRF token.
Is this OK ?
Thanks !
354
Once they expire, client applications can use a refresh token to "refresh" the access token. That is, a refresh token is a credential artifact that lets a client application get new access tokens without having to ask the user to log in again.
Refresh Token are typically longer lived than Access Tokens and used to request a new Access Token without forcing user authentication. Unlike Access Tokens, Refresh Tokens are only used with the Authorization Server and are never sent to a web service.
Access token and refresh token shouldn't be stored in the local/session storage, because they are not a place for any sensitive data. Hence I would store the access token in a httpOnly cookie (even though there is CSRF) and I need it for most of my requests to the Resource Server anyway.
The lifetime of a refresh token is much longer compared to the lifetime of an access token. Refresh tokens can also expire but are quiet long-lived. When current access tokens expire or become invalid, the authorization server provides refresh tokens to the client to obtain new access token.
Consider the access token to be a "dirty" token. Token you share a lot. I does not have to be one server you pass the token to, can be many. Because of this the attack surface rises. If one server does something stupid like writing tokens into server logs and then exposing the logs to the world, you want to limit the negative impact, therefore the access tokens are short lived, to limit the time the attacker can do something malicious.
On the other hand a refresh token is a "clean" token. Something you store for yourself to remember and use it only if you must. Of course if the attacker gains physical access to your computer and the user agent, then it is game over. But here we try to protect from the remote attacker. The refresh token should only be used when talking to an auth server or an auth endpoint. If you decide to make it a cookie - you can - just remember to limit the directory path to just the REST endpoints the token is to be passed to.
It looks good to my eye. Maybe I would not implement the XSRF Token just to save effort. I mean, what is the worst thing that can happen, if someone tries to attack over CSRF? He might be able to make you refresh your token. But the token will not be exposed to the attacker only because of CSRF.
I like your question. It is really well written! : )
60
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
