how to store access token after authentication in google Drive And please tell me how to auto refresh token if it is expired.
please provide example of it.
in my Web Application it stores Token in %AppData% Folder but i want to store in Sql Server database.
Thanks in advance.
You don't store the access token as it only lives for one hour. If you really really want to store it anyway (maybe as a kind of keepsake) it's just a simple string so store it as you would any other string. The thing you should be storing is the refresh token, which is also just a string.
You can store the refresh to SQL database.
As far as i know you can use this refresh token when the access token expires.
There are two ways to handle refresh tokens:
1. Create a service that checks all the access token and refresh ones that are due to expire.
2. Or request a new access token using refresh token whenever you get an access token expiry error from the server during api calls. And then request the same api call once the access token is managed.
I am not sure if these are the best ways to handle refresh token.
Also my other question is whether it is common to store the access token. Or are we supposed to just authorise and get new access token every time we make api calls.
Any recommendations and experiences would be really appreciated.
Cheers.
Related
I am building an asp .net mvc project and I want to save the user who is currently logged in , So I read about sessions and cookies and I found that authentication tokens stored in a cookies are a solution for the problem, So I read about them and I need to know If I am understanding this before implementing anything here What I get until now :
After the user logs in, I generate an authentication token (using a GUID generating method)
The generated authentication token is stored in a cookie in the client browser for .....(I don't know for how long would sound acceptable if someone can plot this thing out for me)
The generated authentication token is stored in my database (hashed for further security using SHA256 hashing method) and corresponding to it the account id of the user and its account type (user or admin)
I check the cookie first thing to know where the user will go to the user or the admin or even to log in page
If the user logs out or the cookie expired and then logs in again , I generate a different token and don't use the stored one in the database (Not sure about this one)
I would really appreciate it if someone tells me if I am missing something or I am doing something wrong ?
What kind of front end are you using? If you use razor. You don't need authentication tokens. These tokens are typically used when you communicate with your backend through API calls. You don't store authentication tokens in database. You can store your refresh tokens.
I have found many links but I didn't get the solution for my problem.
I am trying to implement the jwt refresh token in asp.net core.
For storing the refresh token, I have created the table.
Based on the jwt suggestion, for SPA application, we should not expose refresh token to the client. https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/
So I have planned like,
On user login, create the access token and share to the client
Create a refresh token for the access token and store it in the database and store it in HTTP only cookie
When user access to the authorized controller and action, If access token expire, I want to generate new token based on refresh token.
But,
In many places, I have found like, user will send a request. If it is unauthorised, then user will request for the new access token with the stored refresh token (local storage or something else) and again call to the valid api request.
I don't want to that as mentioned in the last paragraph(is that right one?).
When user send a request, if it is invalid, I want to validate the token in the server side itself and need to provide new access token and proceed with the last api call.
Is there any solution for this implementation like interpreting the authorize and validate?
In my opinion , it is dangerous to use/keep refresh token in SPA apps. Refresh token is powerful instrument , which is almost as powerful as the password itself . Store it in cookies or localStorage and both of these options are inherently insecure as they’re vulnerable to CSRF or XSS attacks against the client application . So i think it's better to just keep access token and do silent sign-in to renew it when access token expires.
So i don't think it's a good idea to return and use refresh token if client app is SPA application even using Code + PKCE .
I am using the JWT middleware + ASP.NET Identity to establish a simple User/Password login in my ASP.NET Core WebAPI project.
The tokens will be valid for 15 minutes. I think I will be utilizing the Refresh Token concept to keep the user logged in, when he is still browsing the site (SPA) or using the mobile app (What about a remember me option? I would create a token that's valid for a month maybe?)
So, is there any way to revoke a generated token? I am think about checking (on each request) if the user still has the right to access the API. Maybe there is another way to handle these cases?
I see a AspNetUserTokens table. Maybe there is a way to store the JWT in there automatically?! At the moment I am using ASP.NET Identity just for user authentication.
You can refer to this article : http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/
Once the user obtains long lived access token he’ll be able to access the server resources as long as his access token is not expired, there is no standard way to revoke access tokens unless the Authorization Server implements custom logic which forces you to store generated access token in database and do database checks with each request. But with refresh tokens, a system admin can revoke access by simply deleting the refresh token identifier from the database so once the system requests new access token using the deleted refresh token, the Authorization Server will reject this request because the refresh token is no longer available (we’ll come into this with more details).
The simple way is to issue short lived access tokens ,if you want to revoke the user , revoke the refresh token as the article shows , clear refresh token and access token on client side . Of cause , access token is still active until it expires .
Another way is to use Identity Server 4 Reference Tokens :
http://docs.identityserver.io/en/release/topics/reference_tokens.html
IdentityServer will store the contents of the token in a data store and will only issue a unique identifier for this token back to the client. The API receiving this reference must then open a back-channel communication to IdentityServer to validate the token
While I was learning how to integrate Facebook Authentication into ASP.NET MVC application I have written a code that uses session state to store the access_token obtained via Facebook JS SDK. As soon as the java-script code has the access token, it is being posted onto a special controller action that stores it in Session dictionary.
I would like to avoid the use of Session but to still have the access token available to retrieve user info. Is it safe to just store it in a non-permanent cookie? Will the effect be the same?
It might interest you that the official PHP SDK stores the access token in a session, or in the signed_request which is stored in a cookie. However, the signed_request is encrypted using the app secret which is a lot more secure than storing the access token unencrypted.
https://github.com/facebook/facebook-php-sdk/tree/master/src
Also, here's a previous discussion on stackoverflow about cookie vs session security:
Do i login using cookies or sessions in a login system?
You may create your own encrypted signed request if you please, however never do that from your client (because it would require storing the secret on your client). For more info see the PHP SDK and/or the link:
https://developers.facebook.com/docs/authentication/signed_request/
I'm implementing a rest api to using the new web api framework. This api will be consumed by other companies so we'll be adding an authentication method.
In relation to authentication, I'm thinking to implement something based on tokens. Something like this
client provide credentials to login method
system authenticate client and send a token
client uses this token on following api calls
I wonder if this schema is useful for my scenario. Operations will be mainly atomic, basically clients will periodically ping this api to get some specific data, so not sure if make sense having a session token (at some point the token should expire and not sure how to manage this).
How would you recommend to implement authentication schema for this scenario?
When you generate a token I would store it in a database with a foreign key back to the authenticated login's primary key. I would also (with the token) store the date and time it was established, and a timeout period (you could set this per token, or store it in a config). Check the token/time everytime the service is pinged by that user, then force them to reauthenticate after that time expires (by checking it against the created date stored with the token).
This would make sure that the login information is only getting transmitted after the token expires, when a new token is generated it would delete the old token record.
Am I understanding your requirements right?
Making a token based authentication scheme like this is not easy.
I don't really have an answer for how you could implement it in a good and secure way. But will offer some thoughts off the top of my head about issues you will have to deal with:
The token generation need to be well randomized and the tokens need to be "sufficiently" (for some definition of sufficient) long in order to prevent someone from simply sending a bunch of different tokens to see if he "gets a hit"
The above issues should not be too difficult to implement. But the more tricky thing to figure out is:
How you can you reliably verify that the token has not been "kidnapped".
If the token is simply some random string, then anyone who happens to "see" it in tranfer (use SSL) will be able to assume the identity of the use for which the token was generated.
The token, when received by your service will let you know that:
Your application issued the token to user/application/entity X
The token is intact (has not been changed)
Any other thing you store with the token (is it expired etc)
But it will not without further effort let you know for sure that it was sent by user/application/entity X. It could be Y who has managed to get hold of the token.
That is the case for many authentication schemes of course, so depending on just how sensitive your data is, and also on what kind of operations can be done via you service, it may not be a huge issue for you.