在OAuth2.0中使用刷新令牌

Question

I am implementing an OAuth2.0 server and trying to read the concepts of refresh token and how to use to call the access token also how to securely store it.

One this which sounds very confusing to me is that `since Auth2.0 token is short lived tokens and suppose after login successfully the server gave me a token which is like that:

{
    "token_type":"bearer",
    "access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiVlx1MDAxNcKbwoNUwoonbFPCu8KhwrYiLCJpYXQiOjE0NDQyNjI1NDMsImV4cCI6MTQ0NDI2MjU2M30.MldruS1PvZaRZIJR4legQaauQ3_DYKxxP2rFnD37Ip4",
    "expires_in":3600,
    "refresh_token":"fdb8fdbecf1d03ce5e6125c067733c0d51de209c"
}

Since access tokens are short lived tokens and it will expired after 1 hour in my case.

Suppose a user is browsing a protected resource with its access tokens credentials and after some time its access tokens get expired and his request returns a response like this.

{
  "code":401,
  "error":"invalid_token",
  "error_description":"The access token provided has expired."
}

Now a new token can be generated by using the new refresh token stored in the browser cookie, but doesn't the user experience is getting affected as each time an access token expires in an hour a valid request by a client is getting rejected due to expired access token and then we have to first fetch a new access token and then try that request again.

Does fetching of refresh token works like that only or I am missing some important concept?

Also how can one store refresh token securely at cookie as it is also not the best secure way to store?

Answer 1

A refresh token is a special kind of token that can be used to obtain a renewed id_token at any time. Refresh tokens must be stored securely by an application because they essentially allow a user to remain authenticated forever.

The response of an authentication request can result in an id_token being issued by OAuth. This token can be used to make authenticated calls to a secured API.

Among other security measures like signing, OAuths have an expiration date indicated by the exp claim. However, applications that are locally installed on a device such as a desktop or smartphone might want to avoid asking the user to enter credentials each time a token expires.

A refresh token allows the application to request OAuth to issue a new id_token directly, without needing to re-authenticate. This works as long as the refresh token has not been revoked.

Security considerations

Because a refresh token never expires, it is important to provide a way to revoke them. This can be done manually from the dashboard or programatically through Auth's API.

Refresh tokens can be issued and revoked for each combination of app, user and device. To revoke a refresh token, you can call the revoke refresh token endpoint:

DELETE https://YOUR_NAMESPACE/api/users/<user id>/refresh_tokens/<refresh token>

{
  "Authorization":   "Bearer <your access token>",
}

Obtaining a refresh token

To obtain a refresh token, the offline_access scope and an arbitrary device name must be included when initiating an authentication request through the /authorize endpoint. For example:

GET https://YOUR_NAMESPACE/authorize/?
    response_type=token
    &client_id=YOUR_CLIENT_ID
    &redirect_uri=YOUR_CALLBACK_URL
    &state=VALUE_THAT_SURVIVES_REDIRECTS
    &scope=openid%20offline_access
    &device=my-device

Using a refresh token

To obtain a new id_token, the delegation endpoint is used:

POST https://YOUR_NAMESPACE/delegation
Content-Type: 'application/json'
{
  "client_id":       "YOUR_CLIENT_ID",
  "grant_type":      "urn:ietf:params:oauth:grant-type:jwt-bearer",
  "refresh_token":   "your_refresh_token",
  "api_type":        "app"
}

A response from this request could be as follows:

{
  "token_type": "Bearer",
  "expires_in": 30000,
  "id_token": "eyJ..."
}

The expires_in parameter indicates the lifetime of the new JWT in seconds. It can be calculated by the difference between the exp and iat claims of the JWT.

IMPORTANT ADVICE: obtaining new tokens using the refresh_token should happen only if the id_token has expired. For example, it is a bad practice to call the endpoint to get a new token every time you do an API call. There are rate limits in Auth0 that will throttle the amount of requests that can be done using the same token from a certain IP to this endpoint.

for further reading try link below

https://auth0.com/docs/refresh-token

Answer 2

Refresh token is a token that you use to get another valid token to interact with the API you're using since the tokens are short lived. Then, since tokens are short lived you would have to get another oauth2.0 credential from the user every time you want to acces to the API. How to avoid this? -> Refresh token.

As told, refresh token is not a token for API acces at all, its just a kind of token that you use to get new short lived tokens for each time.

Then your first login credential gets a token and a refresh token with the user consent, then you dont need user consent anymore, just use refresh token.

Not sure if I'm answering your question :)