Menu
I'm building a .net core web api.
Preface - I've implemented token authentication as per https://stormpath.com/blog/token-authentication-asp-net-core and https://dev.to/samueleresca/developing-token-authentication-using-aspnet-core. I've also read a few issues on github and here on SO.
This also came in handy https://goblincoding.com/2016/07/24/asp-net-core-policy-based-authorisation-using-json-web-tokens/.
After implementing it all I'm feeling like I'm missing something.
I've created a simple Angular application that sits in a web client. When I authenticate, client is sent a token. I'm storing that in session for now (still in dev so will address security concerns around where to store it later).
Not really sure this (JWT (JSON Web Token) automatic prolongation of expiration) is useful as I haven't implemented refresh tokens as far as I can see.
I noticed that when I call logout, and then log back in again, the client is sent a new token - as expected. However, if the token expiry time is passed (I set it to 1 minute for testing) and then the page is refreshed, the token seems to remain the same in my app. i.e. it's as if the token never expires?!
I would have expected the client to be returned a 401 Unauthorised error and I can then handle forcing the user to re-authenticate.
Is this not how this should work? Is there some auto-refresh token magic going on in the background that is default (I haven't set up any notion of refresh tokens in the tutorials explicitly)? Or am I missing something about the concept of token auth?
Also - if this is a perpetually refreshing token, should I be concerned about security if the token was ever compromised?
Thanks for your help
607
In short, you need to use REFRESH_TOKEN when ACCESS_TOKEN expires to get a new ACCESS_TOKEN. JWT has two kind of tokens: ACCESS_TOKEN and REFRESH_TOKEN.
NET Core 6.0 Web API application. Refresh tokens are extremely useful to ensure more application security. We usually give small expiration time for access tokens and after expiration, we use refresh tokens to get new access tokens. Hence, if any attacker gets this access token, they can't use it for longer time.
The JWT access token is only valid for a finite period of time. Using an expired JWT will cause operations to fail.
In the URL field enter the address to the refresh token route of your local API - http://localhost:4000/users/refresh-token . Click the Send button, you should receive a "200 OK" response containing the user details and a JWT token, and a cookie containing a new refresh token.
I believe this has to do with ClockSkew in JwtBearerOptions.
Change to TimeSpan.Zero as I believe the default is set to 5 minutes (not 100% sure though).
I have posted some sample code below that is to be placed in Startup.cs => Configure.
app.UseJwtBearerAuthentication(new JwtBearerOptions() { AuthenticationScheme = "Jwt", AutomaticAuthenticate = true, AutomaticChallenge = true, TokenValidationParameters = new TokenValidationParameters() { ValidAudience = Configuration["Tokens:Audience"], ValidIssuer = Configuration["Tokens:Issuer"], ValidateIssuerSigningKey = true, IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Tokens:Key"])), ValidateLifetime = true, ClockSkew = TimeSpan.Zero } }); If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
