I am trying to implement SvelteKit together with Hasura (GraphQL) and Firebase auth.
I have managed to sign in the user successfully, then store the access token and credentials in an HTTP-only cookie, so that each time the user revisits, they don't have to log in again.
I am not storing the "user" object in that cookie, as that contains sensitive data such as the refresh token that would be dangerous to expose. (Is that correct?)
My problem is that although I have set the expiry date of that cookie to seven days, the access token (rightfully) expires in an hour, and I have no way to refresh it.
Research here showed me I can use user.getIdToken() to refresh the token, but my problem is that I don't have the user object stored anywhere.
Am I missing something? Should I store the user object somewhere so I can refresh the token? Or is there another way to refresh the token?
I need the access token because it needs to be passed in the graphql headers to Hasura (it contains custom claims).
I have looked through the docs and stackoverflow to find alternative ways of refreshing the token, or to find ways to get the user object from an existing token or from any non-compromising information that I could store in my cookie - but found none.
This seems to answer a similar question but I didn't understand the answer: Firebase Auth - how to refresh access token without current user object
Related
In my application I have used aws cognito with next auth for user auth.
In the jwt callback that I have from api next-auth I receive an access token, which is then saved and sent to the client side. There, I save it in local storage and, among other things, I send it to my api which checks if it is correct.
The problem is that after an hour the access token expires and does not get a new one (always next-auth gives me old value). Has anyone had a similar flow and knows how to manage a session refresh? I will add that I am not automatically logged out because next-auth is managing it underneath, but it does not return the value of the new access token to me.
Do you have any ways how to manage this?
I can suggest a workaround that would take the least effort to solve this quickly. Amazon Cognito contains 3 kinds of tokens, the ID Token, Access Token and Refresh Token.
From the Amazon Cognito console, you can increase the validity of the token you're dealing with from there. A good idea is to refer to this answer.
Albeit you might need a couple of methods to assert security and robustness.
I'm using directus to grant users access to ressources required by an SPA written in Angular. To authenticate users I created an auth service and interceptor to handle sessions and attach the "Authorization" header. Those services work fine and login as intended. But here comes the problem:
Directus session times are configured with default values (15 min validity for access_token, 7d for refresh_token) but as soon as the access_token expires I cannot retrieve a new one using the refresh token. This bugs me, because the goal is to keep users logged in for the next 7d (refresh_token lifespan) or until logout if they check this option.
My attempts at achieving this:
Since i'm using graphQL, i tried the "auth_refresh" mutation from the authentication documentation. While the access token is still valid, refreshing works fine. After the access token expired there is no way to retrieve a new one via a valid refresh token.
Alternatively I tried to achieve a refresh via the POST request specified by the docs (to double check if it was some sort of config error with graphql) but I encounter exactly the same problems as with graphQL. Directus returns either "401 unauthorized : Token expired."
if i extend the lifespan of the access token for longer than the server defined lifetime,
Response: Sending a token with prolonged life
or "401 unauthorized : Invalid user credentials." if I request a new token without an
"Authorization" header.
Response: Sending no access token
The refresh token is correctly loaded and sent to the server as specified in the docs in both
cases.
Now my questions are:
Am I missing something? I haven't found any further specification in the docs and the Auth0 protocol specifies that a new access token should be retrievable with a valid refresh token.
If this feature is not intended: How could I achieve a "keep me signed in" option with directus? I would like to keep user rights management in one place and do not really want to handle user auth redundantly for my current use case.
2b. Why is the lifespan of the refresh token so much longer than the lifespan of the access token if this isn't intended?
One of my thoughts is, that it has to do with access rights of the "public" role on the "directus_sessions" table. But I can't think of a way to grant only read rights for owned/received tokens, since there are no payload variables available inside the filters. Could this be the cause? Would there be a way to achieve this?
Thx&Greetz
I understand that the ID token are JWT with an expiry. However, I am curious if there is a way to set some sort of expiry on the refresh token given by Firebase sign in that allows us to call Firebase to get a fresh ID token - AFAIK these never expire.
Refresh tokens don't expire after a certain time interval. The Firebase documentation on managing user sessions says:
Refresh tokens expire only when one of the following occurs:
The user is deleted
The user is disabled
A major account change is detected for the user. This includes events like password or email address updates)
But you can revoke the refresh token (since it's really just an OAuth2 token). See the documentation on revoking refresh tokens for more on that.
I'm using OAuth 2.0 to log in users in my website. Just like any kind of website, e.g. Google, Asana, etc. .
What I would like to know is if there is a way to revoke ONLY the access token and not the refresh token when the user logs out.
This is what I do:
when a user logs in, I create a session and obtain the access token (and the refresh token if the user logs in for the first time). When the user logs out, I just invalidate the session but the access token is still valid.
Sure, the access token will invalidate after a while or when the user logs in the web app again but what I want to know is if the access token can be invalidated during the log out process.
There's no generic answer to this question as the implementation of token revocation behavior wrt. related tokens is Authorization Server specific. Google will invalidate the refresh token together with the access token that is being revoked, other implementations may choose not to do so. Yet other implementations may not even offer a way to revoke access tokens at all.
For Google you can revoke the access token upon logout as described in https://developers.google.com/accounts/docs/OAuth2WebServer#tokenrevoke but it will also revoke the associated refresh token. You must then go through the authorization code flow again to get a new refresh token, which you could try with prompt=none to avoid the user being prompted.
After authenticating the user, I save the authorization token insidea database. Than I save his Id inside a cookie. Each time he accesses a page I check to see if the cookie is there. If it s not there, I try to get another authorization cookie and replace the old in the database, and create that cookie.
I have a deep feeling I am wrong:0 Can you tell me how should I handle this?
You should not deal directly with cookies but use a SDK that do it for you. For C#, you can use the Facebook C# SDK. Check out the API Quickstart guide if you want to have a good overview.
You should store the token in you database only if you ask the offline_access permission when you get the access token because token expires after a few hours.
If you do ask for the offline_access permission when you get the token, then you can store it in your database and make API calls with that token anytime you want (without having to check the user session or cookie).
Hope that helps !