I am using passport-openidconnect strategy which works well but the expiration of the session is short 3600 seconds and I don't think its changeable.
Would I use the refresh token to get another token id?
If I do where would I add that logic in something like this? https://github.com/passport/express-4.x-openidconnect-example/blob/master/server.js
For the refresh token, we will simply generate a UID and store it in an object in memory along with the associated user username. It would be normal to save it in a database with the user's information and the creation and expiration date (if we want it to be valid for a limited period of time).
Passport JS is authentication middleware for Node and Express JS. Passport JS can be used with any Express JS applications. It provides us with a strategy called Passport JWT that helps us to make authenticated requests and also to verify if the token is valid or not.
We need to create a method that will save the generated refresh_token in the database. Now we can handle the refresh token received and thus check if the token sent matches the one saved in the database, we can create our route to perform the refresh. Everything working!
The member must reauthorize your application when refresh tokens expire. When you use a refresh token to generate a new access token, the lifespan or Time To Live (TTL) of the refresh token remains the same as specified in the initial OAuth flow (365 days), and the new access token has a new TTL of 60 days.
The expiration of the session is configurable from the auth provider side. For e.g. let's say you are using auth0
as your authentication provider, then you can configure the token
timeout at app setting (https://auth0.com/docs/tokens/guides/access-token/set-access-token-lifetime)
As per as refresh token
is concerned, passport itself doesn't support it and it's up-to us to implement it. For auth0, you can renew the token by following the flow at https://auth0.com/docs/tokens/refresh-token/current. I pasted the code from that link:
var request = require("request");
var options = { method: 'POST',
url: 'https://YOUR_DOMAIN/oauth/token',
headers: { 'content-type': 'application/x-www-form-urlencoded' },
form:
{ grant_type: 'refresh_token',
client_id: 'YOUR_CLIENT_ID',
client_secret: 'YOUR_CLIENT_SECRET',
refresh_token: 'YOUR_REFRESH_TOKEN' } };
request(options, function (error, response, body) {
if (error) throw new Error(error);
console.log(body);
});
OR you can use an add-on to passport https://github.com/fiznool/passport-oauth2-refresh
var passport = require('passport'),
, refresh = require('passport-oauth2-refresh')
, FacebookStrategy = require('passport-facebook').Strategy;
var strategy = new FacebookStrategy({
clientID: FACEBOOK_APP_ID,
clientSecret: FACEBOOK_APP_SECRET,
callbackURL: "http://www.example.com/auth/facebook/callback"
},
function(accessToken, refreshToken, profile, done) {
// Make sure you store the refreshToken somewhere!
User.findOrCreate(..., function(err, user) {
if (err) { return done(err); }
done(null, user);
});
});
passport.use(strategy);
refresh.use(strategy);
var refresh = require('passport-oauth2-refresh');
refresh.requestNewAccessToken('facebook', 'some_refresh_token', function(err, accessToken, refreshToken) {
// You have a new access token, store it in the user object,
// or use it to make a new request.
// `refreshToken` may or may not exist, depending on the strategy you are using.
// You probably don't need it anyway, as according to the OAuth 2.0 spec,
// it should be the same as the initial refresh token.
});
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With