Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to save refresh tokens?

Tags:

oauth

oauth-2.0

I'm trying to add authentication feature to my application. The authentication server implements oauth 2.0

I'm not sure how to save the refresh_token. I want to save it to a file, so next time when the application starts and there is a refresh_token available, it can ask for a new access_token. The user won't need to re-login again.

But this doesn't sound secure to me, because if someone copies my file that has the refresh_token to another computer, he can hack into my account.

like image 900
Bill Yan Avatar asked Jan 04 '13 19:01

Bill Yan

People also ask

How do you save refresh tokens?

Storing refresh tokens via silent authentication involves sending a request to the identity server to get an access token whenever there is an API request or during page refresh. If your session still remains, the identity provider will return a valid token. Otherwise, it redirects you to the login page.

Should refresh tokens be saved?

The client needs to store the refresh token safely. A malicious attacker gets access to the refresh and access token and uses it to request protected data to the resource server. The malicious attacker can get protected data from the resource server.

Can a refresh token be reused?

This protection mechanism works regardless of whether the legitimate client or the malicious client is able to exchange refresh token 1 for a new token pair before the other. As soon as reuse is detected, all subsequent requests will be denied until the user re-authenticates.

How long are refresh tokens good for?

The refresh token is set with a very long expiration time of 200 days. If the traffic to this API is 10 requests/second, then it can generate as many as 864,000 tokens in a day.

1 Answers

You are correct with the attack that you describe. Refresh tokens have to be stored securely in order to be used as intended. As I understand, you are building a standalone application. Therefore, you can rely on file system security to prevent a refresh token being copied by an unauthorized user. You may want to use encryption for the refresh token, too, but the key would need to be bound to a user's session at your local machine (otherwise, the user would need to provide it during "sign in" process in order for the application to decrypt the refresh token).

Consider reading the thread from the OAuth WG, that discusses similar problems to the one described and provides some guidance: https://www.ietf.org/mail-archive/web/oauth/current/msg02292.html

like image 101
mmachulak Avatar answered Sep 18 '22 11:09

mmachulak
Sign in to Comment

Related questions

Authorizing command line tool to consume Google APIs (through OAuth2.0 or anything else)
Facebook iOS Safari "Cannot Open Page Error" When Authenticating User with Single-Sign-On
chrome.identity User Authentication in a Chrome Extension
owin oauth send additional parameters
Why is there 3-legged OAuth2 when 2-legged works so well?
URI::InvalidURIError (bad URI(is not URI?): ):
Having problems while try to install OAUTH with PECL in MAMP on mac OS lion
How to authenticate a POST request from a chrome extension to my app with JSON web tokens?
OAuth 2.0 on C++ (for UNIX)
why isn't it possible to steal an access token?
Architecturing API keys and access tokens
Questions About Consuming Your Own API with OAuth
OAuth Refresh Token Best Practice [closed]
What's the purpose of the client secret in OAuth2?
AWS API Gateway - using Access Token with Cognito User Pool authorizer?
I am getting "code challenge required" when using IdentityServer4
OAuth 2.0 with Google Analytics API v3
Too many cookies OpenIdConnect.nonce cause error page "Bad Request - Request Too Long"
Twitter OAuth via a popup
registration-url parameter fails for fb:login-button if oauth 2.0 is enabled

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!