Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

OAuth 2.0 Refresh Token multiple Tabs

Tags:

authentication

race-condition

refresh-token

oauth-2.0

jwt

When using the OAuth 2.0 JWT Refresh token implementation I came across the issue that it's really difficult to implement a solid Refresh Strategy on the Web Browser Client Side. Multiple Tabs can lead to a racing condition with the requests.

The RFC does not explicitly mention to have the Refresh Token on the Server side only valid for one (the first) request, but I figured it was a good idea to invalidate the Refresh tokens when they are used.

There are already multiple "solutions" on stack overflow but none of them seem to be straight forward.

One solution is to add Jitter to the requests and synchronize requests over the Local storage.

If I understand correctly you would put a variable into the Local storage when the request is started other tabs check if this variable is set and then don't start the refresh? Do you know an example implementation of this? Maybe in React?

like image 411
t16n Avatar asked May 15 '20 08:05

t16n

1 Answers

The answer above does not really answer the question:

  • Using the OIDC client library does not solve this problem, in fact it does not even use refresh tokens as far as I know.

  • Storing tokens in memory or session storage does not solve the problem but will generate even more, see below.

  • Using the AS's session cookie is not feasable in some cases. Usually this is a cross-domain cookie which cannot be used reliably on other sites. This concept is called "silent renewal" and requires the use of a cross-domain cookie in an iframe to refresh tokens (using the AS session). This concept sounds nice, but with browsers and users blocking more and more cross-domain tracking mechanisms this is really dangerous to use: in most cases, blocked cookies cannot be detected (which leads to sudden logouts after some seconds, especially when using the OIDC Session Management mechanisms. Redirecting through the AS when refreshing tokens is also not an option, as in many cases, tokens are JWT and only valid for some minutes, and breaking the experience by redirecting away from the app every few minutes is not an option.

With PKCE and Authorization Code flow in the browser it is fine to use and store refresh tokens, but as the original poster said, care has to be taken when refreshing (especially when refresh tokens can only be used once, which is desired in browser environments!)...

like image 189
Nico Kaiser Avatar answered Oct 16 '22 20:10

Nico Kaiser
Sign in to Comment

Related questions

Google + Authentication without Passport.js
HTTP Basic Authentication + Access Token?
Spring boot + thymeleaf: get logged in user
How to implement AccountManager in my app
jhipster 2 : What is the difference between the authentication option?
Custom Authentication with Azure Mobile Apps
Add extra headers to websocket connection from browser in Dart
How to authenticate user in Web API 2 when being part of a legacy ASP.NET MVC application?
Request Token with JQuery from Web API
Epson TM-T88V-i digest authentication not working
Bypassing Email Verification within Azure AD B2C during Signup Signin on Mobile app
How to make JWT cookie authentication in Laravel
How to protect web API request call from third-party tools such as Postman?
How to migrate SimpleMembership user data to ASPNET Core Identity
How to authenticate Inbound Mail? With SendGrid specifically?
OAuth2 authorization for API in Python
Google Classroom API Object Authentication
Mysterious 401 challenge when using AJAX
Flutter - onGenerateRoute with Await for auth Guard
with the Twitter API - how can I get authentication for the engagement endpoint using a bearer token

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!