search

logto-io / js

🤓 Logto JS SDKs.
https://docs.logto.io/quick-starts/
MIT License
68 stars 40 forks source link

How to refresh IdToken? #846

Closed isaced closed 1 day ago

isaced commented 1 week ago

At present, I obtain the IdToken through { getIdToken } = useLogto();(react) and then pass it to the back-end structure for authentication through the HTTP Authorization Header.

At the beginning, it works well. However, the JWT expires after one hour and will not be refreshed.

isaced commented 6 days ago

By examining the client.ts file, it appears that the accessToken is only checked and updated when getAccessToken() is called, and the idToken is updated simultaneously.

I'm not sure if this is expected. In my project, I currently don't need to use the accessToken, so I haven't called the getAccessToken() method. Are there other ways to update the idToken?

https://github.com/logto-io/js/blob/cbcebd069e82d958412af77b551ba5d3291f9eda/packages/client/src/client.ts#L521-L541

https://github.com/logto-io/js/blob/cbcebd069e82d958412af77b551ba5d3291f9eda/packages/client/src/client.ts#L470-L475

darcyYe commented 2 days ago

Would you like to provide more details on how you gonna use ID token in your project? Usually you should rely on access token for authorization. In Logto, we only use the existence of idToken to check whether a user is authenticated. And ID token is refreshed along with the refresh of any access token. So far, we do not provide an API to actively refresh ID token.

isaced commented 2 days ago

After integrating my application with Logto, I use the idToken to protect the backend APIs. Since I only need simple user authentication without requiring fine-grained control over API authorization, I opted to use the idToken.

I didn't create an api-resource in the Logto console but instead used the idToken directly for authentication. In my backend's jwtVerify call, I did not use the audience parameter.

isaced commented 2 days ago

I am now trying to switch to using accessToken authentication, using the specified API Resource works properly, but using the Default API does not work. I'm not sure what I am doing wrong.

  1. Mark a specific API as the default API in the Logto console.
  2. The frontend calls getAccessToken(), and the parameters passed are empty.
  3. The backend verifies using jwtVerify(), audience parameter is empty.
const { payload } = await jwtVerify(
  token,
  createRemoteJWKSet(new URL(this.discoveryCache.jwks_uri)),
  {
    issuer: this.discoveryCache.issuer,
    // audience: ''
  },
);

got error: ERR_JWS_INVALID

darcyYe commented 2 days ago

After integrating my application with Logto, I use the idToken to protect the backend APIs. Since I only need simple user authentication without requiring fine-grained control over API authorization, I opted to use the idToken.

I didn't create an api-resource in the Logto console but instead used the idToken directly for authentication. In my backend's jwtVerify call, I did not use the audience parameter.

You should always use an access token to protect API resources, even if you don't need fine-grained access control. We have Protect your API guide here.

If no resource is specified when initializing a auth request, you will get an opaque access token (not JWT) and hence JWT verification is not applicable in this scenario. In order to get and validate an opaque access token, token introscpection is needed.

isaced commented 1 day ago

Understood, thank you for your response.