Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OAuth 2.0 Refresh Token multiple Tabs

When using the OAuth 2.0 JWT Refresh token implementation I came across the issue that it's really difficult to implement a solid Refresh Strategy on the Web Browser Client Side. Multiple Tabs can lead to a racing condition with the requests.

The RFC does not explicitly mention to have the Refresh Token on the Server side only valid for one (the first) request, but I figured it was a good idea to invalidate the Refresh tokens when they are used.

There are already multiple "solutions" on stack overflow but none of them seem to be straight forward.

One solution is to add Jitter to the requests and synchronize requests over the Local storage.

If I understand correctly you would put a variable into the Local storage when the request is started other tabs check if this variable is set and then don't start the refresh? Do you know an example implementation of this? Maybe in React?

like image 411
t16n Avatar asked May 15 '20 08:05

t16n


1 Answers

The answer above does not really answer the question:

  • Using the OIDC client library does not solve this problem, in fact it does not even use refresh tokens as far as I know.

  • Storing tokens in memory or session storage does not solve the problem but will generate even more, see below.

  • Using the AS's session cookie is not feasable in some cases. Usually this is a cross-domain cookie which cannot be used reliably on other sites. This concept is called "silent renewal" and requires the use of a cross-domain cookie in an iframe to refresh tokens (using the AS session). This concept sounds nice, but with browsers and users blocking more and more cross-domain tracking mechanisms this is really dangerous to use: in most cases, blocked cookies cannot be detected (which leads to sudden logouts after some seconds, especially when using the OIDC Session Management mechanisms. Redirecting through the AS when refreshing tokens is also not an option, as in many cases, tokens are JWT and only valid for some minutes, and breaking the experience by redirecting away from the app every few minutes is not an option.

With PKCE and Authorization Code flow in the browser it is fine to use and store refresh tokens, but as the original poster said, care has to be taken when refreshing (especially when refresh tokens can only be used once, which is desired in browser environments!)...

like image 189
Nico Kaiser Avatar answered Oct 16 '22 20:10

Nico Kaiser