search

altunkan / authentication-test

25 stars 19 forks source link

Questions about refresh token #1

Open francescofact opened 4 years ago

francescofact commented 4 years ago

Hi, First of all thank you for this complete example of JWT + httpOnly authentication in Spring. I haven't understand just one thing. Why you use a refreshToken? Why not simply give a longer accessToken? If they stole the accessToken it's difficult that they don't stole also the refreshToken, and with the refreshToken they can have fresh accessTokens for 90 days.

Is there something that i didn't understand? Thank you.

altunkan commented 4 years ago

Hi, access tokens with long durations are vulnerable to security attacks. Since we are not persisting tokens, they are going to be active during their duration. If an active access token is stolen, it can be used for authentication purposes even though we used http only cookie.

francescofact commented 4 years ago

Why access token are vulnerable and refresh token not? It's litteraly the same thing. If you have a refreshtoken you can request an access token.

altunkan commented 3 years ago

Hi @francescofact ,

Yes, it is the same thing. This the problem with Native applications and SPAs. This code&article isn't exactly following OAUTH2 standards. If we want to keep users logged in, we need to silently refresh access tokens. This kind of sensitive data should be kept as HttpOnly cookie and this article is related to that specific subject.

Following solutions can be applied to increase security level.

  1. HTTPS is a must.
  2. Use short lived refresh tokens and generate a new refresh token each time access token is refreshed. Access token can be 1hr and refresh token can be 7 days. If user do not login for 7 days, then re-authentication is a must.
  3. Follow OAUTH2 standards. Use separate resource and authorization servers with an extra backend layer. Do not send request directly to authorization server from SPA. Instead, use your backend and add client_id and client_secret to your request body and send the request to authorization server from backend but the problem still exists. Anyone with a valid refresh token, can still send requests to your backend.
  4. Implementing a secure authorization server is hard. Use 3rd party providers such as Keycloak. Spring Security stopped to developing authorization server and suggesting to use 3rd party provider.
  5. Do not use a registration system. Use google, linkedin, github, microsoft or any authentication providers with 2FA capabilities.
  6. Persist access and refresh tokens into REDIS and only store access token with 1hr TTL in SPA.