Menu
As I understand you must not issue a refresh token for SPA. But there are options to get a new access token like silent authentication.
To make things simple, you supply a refresh token to the Authorization Server(AS) and get a new access token. With silent authentication you pass current access token to some endpoint on the AS and if it is valid you get a new access token.
So please correct me, because I do not understand why silent authentication is more secure approach.
832
There is no persistent storage mechanism in a browser that can assure access by the intended application only. As such, long-lived refresh tokens are not suitable for SPAs as there are vulnerabilities that malicious users could exploit to obtain these high-value artifacts, granting them access to protected resources.
Silent Network Authentication (SNA) is a form of secure consumer authentication to protect end-users, accounts, and transactions without requiring users to wait or leave your app. It uses direct carrier connections to verify possession of a phone number in the background without requiring user input.
Refresh tokens help improve the user experience (UX) around authentication. Since access tokens are typically only valid for a few minutes, an expired token can cause a user session to terminate without warning. Once that token expires, the user needs to reauthenticate to receive a new token and a new session.
The lifetime of a refresh token is much longer compared to the lifetime of an access token. Refresh tokens can also expire but are quiet long-lived. When current access tokens expire or become invalid, the authorization server provides refresh tokens to the client to obtain new access token.
With silent authentication you pass current access token to some endpoint on the AS and if it is valid you get a new access token.
That's not correct.
The flow with silent authentication looks like this:
Auth Server (AS) and Client (SPA)
authorize endpoint in attempt to get new access token. It does not
need to supply old expired access token. IF AND ONLY user still has a
valid session with AS (some sort of auth cookie likely) then AS will
respond with valid access token (if AS believes the request is
valid).The good article explaining silent authentication
For the why to prefer auth cookie vs refresh token - this question clarifies that.
167
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
