search

casdoor / casdoor-go-sdk

Go client SDK for Casdoor
https://github.com/casdoor/casdoor
Apache License 2.0
88 stars 74 forks source link

Refresh token and access token are interchangeable #99

Closed pi-kei closed 8 months ago

pi-kei commented 8 months ago

Version: 0.35.1

If you pass either refresh token or access token to casdoorsdk.ParseJwtToken(token) then token will pass verification and there's no good way to distinct one from another using returned casdoorsdk.Claims. The downside of this is that security risks are higher.

You can use jwt parser directly without casdoor sdk to ensure token type. Refresh tokens have a claim TokenType that equal to refresh-token

casbin-bot commented 8 months ago

@tangyang9464 @JalinWang @imp2002

hsluoyz commented 8 months ago

@pi-kei Casdoor's refresh token and access token are very similar, this is by design. You can check refreshClaims["TokenType"] = "refresh-token" by yourself to see if it is a refresh token

image

pi-kei commented 8 months ago

@hsluoyz To make it clear: Does it make sense to add the claim TokenType to casdoorsdk.Claims?

hsluoyz commented 8 months ago

@pi-kei isn't it already there? See:

image

pi-kei commented 8 months ago

@hsluoyz casdoorsdk.Claims is a stuct which does not include TokenType as a field. https://github.com/casdoor/casdoor-go-sdk/blob/master/casdoorsdk/jwt.go#L27 When you call casdoorsdk.ParseJwtToken(token) the casdoorsdk.Claims is the only thing you get. The only way around is to parse JWT by using some jwt parser directly without using casdoorsdk package. Declaring TokenType as a field in casdoorsdk.Claims could resolve this, I think. Or am I still missing something.

hsluoyz commented 8 months ago

@pi-kei didn't you see that the value is already set in the claims before generating the JWT?

image

pi-kei commented 8 months ago

@hsluoyz Yes, I see that the value is already set in the claims before generating the JWT. I even wrote about that when I created this issue. I am talking about github.com/casdoor/casdoor-go-sdk/casdoorsdk package and it's usecases. How can I use this package to get TokenType claim from JWT? Using this package I can get every other claim from JWT except TokenType.

hsluoyz commented 8 months ago

@pi-kei if you use: https://jwt.io/ to parse the token, is TokenType there already?

pi-kei commented 8 months ago

@hsluoyz Yes, it is there. But the question is how to get it in the code using this sdk package. And the answer is I can't until it will be modified. Should it be modified?

hsluoyz commented 8 months ago

@pi-kei yes, can you make a PR?

pi-kei commented 8 months ago

@hsluoyz Sure.