Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What JWT Tokens should be stored for use later?

Tags:

authentication

asp.net-mvc

jwt

amazon-cognito

jwt-auth

I am looking at implemented Cognito for user login and would like to understand the process of validating JWT's a little better.

The application in question is on asp.net 4.5 MVC and not related to .NET Core. The only information on AWS Cognito I can find online relates to .NET core.

I understand the meaning of each token type as documented here: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-id-token

I also understand the required steps in validating a JWT: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html

My question is which JWT needs to be validated and at what stage?

Example 1.
A user logs in, once logged in they are returned with an Access, ID and Refresh token.
Do all of the tokens need to be validated at this point or just the Access token?

Is the refresh token only validated before trying to use it (in order to gain new access and ID tokens)?
OR should all tokens be validated on any authorised content request?

What tokens should be stored in the FormsAuthentication Cookie for use later? We are using the standard [Authorize] pattern in asp.net.

like image 353
StuartM Avatar asked Oct 15 '22 07:10

StuartM

1 Answers

Question: Do all of the tokens need to be validated at this point or just the Access token?

Answer: Validation is always done on Access token only.

Refresh token itself need not be validated. It is merely used for the purpose of obtaining fresh set of ID token and Access token.

Question: What tokens should be stored in the FormsAuthentication Cookie for use later?

Answer: This is specific to implementation. There is no rule on what token must be saved.

If the requirement is to just know the user's email or phone number, then just the ID token can be saved.

If the requirement is to allow one-time access for up an hour for the user, then storing just the access token is sufficient.

If the requirement is to allow user to access the resource for up to 30 days, without being prompted for password, then refresh token must be saved.

like image 54
Gopinath Avatar answered Nov 15 '22 04:11

Gopinath
Sign in to Comment

Related questions

Fullcalendar select wrong end date
ASP.NET Identity's UserManager caches users?
Combine asp-route-id with asp-route-all-data
How Can convert System.Net.Http.HttpResponseMessage to System.Web.Mvc.ActionResult
Determine Signal R connection status without broadcasting Clients.All.someMethod() and blowing up client side resources
Reading Axios Get params in Asp.Net MVC controller
Angular2+ C# Web Api - Server side save datetime with wrong time
How can I fix the character 'A' in a JQuery-mask?
Accessing the Ninject Kernel Globally
Make a script bundle include another script bundle
EditorFor IEnumerable<T> with TemplateName
Javascript in Virtual Directory unaware of Virtual Directory
breakpoint on javascript in CSHTML?
Why don't my Html Helpers have intellisense?
The type 'IEnumerable<>' is defined in an assembly that is not referenced
Why am I getting a "Unable to update the EntitySet because it has a DefiningQuery..." exception when trying to update a model in Entity Framework?
Is there a RangeAttribute for DateTime?
Clear dropzone.js thumbnail image after uploading an image
Url.Content in asp.net web-forms
Could not load file or assembly 'System.Web.Razor' or one of its dependencies

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!