Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is the difference between using refresh token and Silent Authentication for SPA?

Tags:

authentication

oauth

authorization

oauth-2.0

As I understand you must not issue a refresh token for SPA. But there are options to get a new access token like silent authentication.

To make things simple, you supply a refresh token to the Authorization Server(AS) and get a new access token. With silent authentication you pass current access token to some endpoint on the AS and if it is valid you get a new access token.

So please correct me, because I do not understand why silent authentication is more secure approach.

like image 832
Arkady Rost Avatar asked Jan 15 '19 13:01

Arkady Rost

People also ask

Should I use refresh token spa?

There is no persistent storage mechanism in a browser that can assure access by the intended application only. As such, long-lived refresh tokens are not suitable for SPAs as there are vulnerabilities that malicious users could exploit to obtain these high-value artifacts, granting them access to protected resources.

What is silent authentication?

Silent Network Authentication (SNA) is a form of secure consumer authentication to protect end-users, accounts, and transactions without requiring users to wait or leave your app. It uses direct carrier connections to verify possession of a phone number in the background without requiring user input.

Why is refresh token better?

Refresh tokens help improve the user experience (UX) around authentication. Since access tokens are typically only valid for a few minutes, an expired token can cause a user session to terminate without warning. Once that token expires, the user needs to reauthenticate to receive a new token and a new session.

What is difference between access token and refresh?

The lifetime of a refresh token is much longer compared to the lifetime of an access token. Refresh tokens can also expire but are quiet long-lived. When current access tokens expire or become invalid, the authorization server provides refresh tokens to the client to obtain new access token.

1 Answers

With silent authentication you pass current access token to some endpoint on the AS and if it is valid you get a new access token.

That's not correct.

The flow with silent authentication looks like this:

Auth Server (AS) and Client (SPA)

  • SPA redirects user to log in with AS.
  • AS logs user in and redirects back to the SPA with an access token that can be used to access an API
  • SPA calls API until it gets 401. (or uses some other mechanism to figure out time to get new access token)
  • SPA does a silent GET to the AS authorize endpoint in attempt to get new access token. It does not need to supply old expired access token.
  • IF AND ONLY user still has a valid session with AS (some sort of auth cookie likely) then AS will respond with valid access token (if AS believes the request is valid).

The good article explaining silent authentication

For the why to prefer auth cookie vs refresh token - this question clarifies that.

like image 167
Alex Buyny Avatar answered Oct 14 '22 07:10

Alex Buyny
Sign in to Comment

Related questions

Unable to login Firebase with cli command
asmx web service: client authentication
RESTful-Authentication or Authlogic?
Kerberos authentication in IIS 7
Override UserManager in django
Spring Security: Custom exception message from UserDetailsService
Auth filter redirecting back to original POST request in Laravel
What is a good pattern for implementing access control in a GraphQL server?
laravel-5.4 - error :Creating default object from empty value
Angular 8 differential loading failing due to auth issues with dotnet core
Exception at start of request - ClientAuth SSL
Yii::app()->user->isGuest always returns true even though login was successful
JQuery Mobile - User Login Best Practice
Merging ActiveAdmin users with existing user model
SQL Server: Cannot open database requested by the login
MySQL ODBC Link Fails due to "authentication protocol refused"
Google Apps Script login to website with HTTP request
How to implement Logout in a JWT based Single Sign On authentication architecture?
Hashes or tokens for "remember me" cookies?
Standard form authentication Java servlets

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!