-
-
Notifications
You must be signed in to change notification settings - Fork 750
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for refresh tokens #1337
Comments
👍 @corymsmith and I were talking about this. Hoping to help kick some of this over the finish line over the "holidays". |
We have support for this in master but also have support for this in the
|
We do have a token renewal process in place, but not quite full refresh token support as described in the Auth0 link I posted above. An actual refresh token works similar to a GitHub auth code/password, but can only be used to get a new JWT token. So even if your JWT token expires, if you have a refresh token you can use that to login again. They are persisted to the database with userId intact and can be revoked at any time. At least, that's what I'm gathering from the Auth0 article. |
Ah you are right @marshallswain. Guess I should have clicked the link 😉 |
I think for the first cut we'll leave this off the 1.0 milestone then. It's easy enough for people to just re-authenticate. |
I kinda vote that we make this a |
Great minds. |
I am still quite confused as it is not clear of how exactly the authentication workflow works. What I am currently doing now is.
This returns JWT token.
2.) Then, I put this token in Authorizatin http header to access API.
The thing I don't understand is next how to actually refresh this token.
Even weirder things is I tried to use this new token and send to /auth/token/refresh again. I am not sure what I did wrong or misunderstand here. Please suggest. |
@parnurzeal we don't really have refresh token support yet. That's why this is a proposed feature. The way to get a new token is to do a POST to |
RIght, but please look closely on how I did and the result I got. Let's use a easy example. Also, all three tokens above are all usable at the same time. |
@parnurzeal what I'm saying is do not do what you did because that feature isn't really implemented. Based on the implementation (thus far) the fact that the token keeps growing every time you hit
This is the nature of JWT. They expire on their own from their TTL. If you want to prevent old tokens from being used that have not expired yet then you need to maintain a blacklist. Currently, this is left up to you and we have an open issue (#133) around that but likely won't get to that soon (if ever). |
Hi there, I looked into /auth/refresh/token and I came out with something like that:
Is it too naive as implementation? If not I could try to polish, add a couple of tests and create a PR. |
@aboutlo thanks for the effort! It's best to wait until v0.8 is out (it's been in alpha for a while now) as there are a bunch of changes that have happened and that route might be going away this week. We've given a lot of thought to refresh tokens so once 0.8 is released (this week) I'd love to take to this issue to discuss. I'll likely put up our preliminary thoughts later this week. |
fair enough @ekryski, I will wait for the 0.8 :) |
This feature is a MUST when it comes to React Native apps. The user logs in at the beginning and when he opens the app after several weeks he expects to be still logged in. |
@deiucanta the good news is that we kept this feature in mind while we designed auth@1.0. I don't think it will be long before we get it in place and documented. |
that's good news! 👍 looking forward for that |
@marshallswain Looking forward for an update on this feature. Please let me know when can we expect this. Or is it already released? Thanks in advance. |
@deiucanta In the meantime, until this feature gets released, you could use longer-lived tokens. Once released, you can rotate your auth secret to a new value to wipe out all existing sessions, and get all of your users on the shorter, renewing ones. |
@atulrpandey it's not officially released but it's not hard to implement either. You simply add a hook to generate a new refresh token and store that on the user object in the DB and once it is used up or expired you remove it from the user. @petermikitsh another thing you can do (if you are on mobile) is store a |
@ekryski can you please provide an example of either one of these strategies? that will be really helpful. |
On the topic of refresh tokens:
So I got into React Native myself sooner than I thought I would. I'm thinking of possibly contributing this, but I'd want to be sure I fully understand the mechanics to be sure it's the correct implementation. Since refresh tokens are not stateless, there will be some constraints on usage (e.g., developers will need to supply a storage adapter). Can you use a valid JWT to get a refresh token? Or are refresh tokens automatically returned in the authentication response (e.g., in addition to the |
@petermikitsh I don't think you should be able to use a valid JWT to get a refresh token. If you do that, anyone can get a JWT and keep access to an account. Refresh Tokens are typically returned with login/signup responses and then the client can't really get access to them again for the specific session unless they login/signup again which gives them a new session and a new refresh token. Refresh Tokens don't really need to expire but they can be evoked if they are being stored in the database and so this way, the user can also see how many active sessions they have. You could store more info when issuing refresh tokens (like os, ip, device name etc. to make them identifiable - like how Facebook, GitHub do). At least that's how I do it. |
It should be ok to use a valid JWT to get a refresh token as long as you check authorization both when you issue the refresh token and when you attempt to use the refresh token. |
So then it should be called |
As @abhishekbhardwaj said accessToken, should not be refreshable by an accessToken, but only by a refresehToken or username/password, a refreshToken should only be refreshable by a user/password authentication, or some other secret, which is not accessible by the browser, like a 2 factor auth... Currently, it is possible to refresh your accessToken with an accessToken, like mentioned here: |
Another approach is to store refresh token inside accessToken's payload, then current refresh api checks if refresh token is not revoked (through database or redis call). This way refresh token could be a simple auto-increment id. Also refresh api should not check expiration anymore. Since refresh token (simple integer) is signed with access token, it's secure. This way changes to current code base should be minimal: For refresh api provide a way so that user can provide a hook to check if a access token is not revoked (through checking refresh token inside it's payload), if this hook is provided don't validate expiration time anymore. |
Could you explain this approach some more @arash16 ? If you store the refresh-token in the accessTokens payload, and the refresh API doesn't check expiration, haven't you just effectively made every accessToken "non-expiring" Because any accessToken could be used to get a new access token, right? Am I missing something? |
@BigAB Developer should have a db-table/redis to store all refresh-ids. When a user needs to revoke or sign out of some (or all) other sessions, we can provide him a list of all refresh-ids (plus some other extra info such as browser or creation date etc) and he chooses to remove (sign-out of) them selectively. After that once the actual token containing those refresh-ids is expired, refresh api refuses to give a new one. The refresh-id inside token is not used most of the time and authorization is stateless until the token expires, after that we may have a single call to db to validate refresh id and return a fresh access-token. Access token's expiration time could be short (less than 10 minutes), user may close the page and walks away, later when he opens the page access-token is already expired and he is logged out. But refresh-id inside the token has a much longer time-to-live managed by database (for example 7 or 30 days), and also manually revocable. From security point of view, the access-token used this way should be treated like an old session-key, with extra benefit that we won't have to call database to validate it every time (only once expired). |
@arash16, I like your idea to store the refresh token inside the access JWT. Is there any example, how to retrieve this refresh token on the server side? My current problem: If the access token is expired, the payload is not available in feathers's hook context. I guess, a way would be to use the |
@MichaelErmer as a workaround you can use local or any custom strategy to renew jwt, not ideal, but works fine for internal communication, let's say between worker and api. function initAuth() {
return async (ctx) => {
if (ctx.path !== 'authentication') {
const [authenticated, accessToken] = await Promise.all([
ctx.app.get('authentication'),
ctx.app.authentication.getAccessToken(),
]);
if (!accessToken || !authenticated) {
const result = await ctx.app.authenticate(apiLocalCreds);
ctx.params = {
...ctx.params,
...result,
headers: { ...(ctx.params.headers || {}), Authorization: result.accessToken },
};
} else {
const { exp } = decode(accessToken);
const expired = Date.now() / 1000 > exp - 60 * 60;
if (expired) {
const result = await ctx.app.authenticate(apiLocalCreds);
ctx.params = {
...ctx.params,
...result,
headers: { ...(ctx.params.headers || {}), Authorization: result.accessToken },
};
}
}
}
return ctx;
};
}
client
.configure(rest(apiHost).superagent(superagent))
.configure(auth(authConfig))
.hooks({ before: [initAuth()] }); |
Currently I'm using this const {DateTime} = require('luxon')
const renewAfter = {days: 20}
module.exports = () => {
return async context => {
if (
context.method === 'create' &&
context.type === 'after' &&
context.path === 'authentication' &&
context.data && context.data.strategy === 'jwt' &&
context.result &&
context.result.accessToken) {
// check if token needs to be renewed
const payload = await context.app.service('authentication').verifyAccessToken(context.result.accessToken)
const issuedAt = DateTime.fromMillis(payload.iat * 1000)
const renewAfter = issuedAt.plus(renewAfter)
const now = DateTime.local()
if (now > renewAfter) {
context.result.accessToken = await context.app.service('authentication').createAccessToken({sub: payload.sub})
}
}
return context
}
} It's important to have this hook in |
Any plans to integrate refresh tokens in feathers? |
I second that question one message earlier. |
Am wondering about the refresh token workflow as well. Is the solution drafted by @m0dch3n a good practice? Should we implement it another way ? |
The whole refreshToken workflow in my opion only protects only a little bit against man in the middle attacks, so that if the middle man steals the accessToken he can at least not refresh it and have infinite access to the ressources. It does not protect against XSS, because in that case, the attacker is able to steal anything stored on the client side. So also the refreshToken... The problem now is, that if you make your accessToken expiration time too small (i.e. 5 minutes), you also have too refresh it more often. The man in the middle only needs to listen during 5 minutes to the clients requests in order to intercept the refreshToken then... If you make the expiration longer, he has longer access with just the accessToken... Honestly if some client tells me, his access got stolen, I need to blacklist accessToken AND refreshToken anyway to be sure. So I'm forced to make a DB request on each request anyway. In my case, when I'm aware of such a case, I blacklist all the accessTokens from the last 40 days, because my accessTokens have a validity of 40 days... |
Using HTTPS request makes man in the middle attacks really difficult. Aren't you using HTTPS requests? |
Of course I'm using https, but there are 3 possibilities to steal the accessToken. First is on client side (XSS i.e.), second on transport (man in the middle), and third on server side. On client and on transport, I'm only half responsible for the security, and the other half is the client, which is not totally under my control. But I can help the client, to avoid security risks, by making XSS impossible and by securing the transport with https... The goal of a refreshToken is, to make the expiration of an accessToken shorter AND to not transmit a longer or infinit valid token on EACH request So the only security it brings, is that from 100 requests i.e, you don't make all the 100 vulnerable on transport, but only 1 request So basically a man in the middle attack, can't be protected by a refeshToken and of course not by an XSS... It can only be reduced, by how many times you transmit this refreshToken... The cost of transmitting it lesser however is, that the accessToken needs to be longer valid... |
I just copy/past my comments from Slack channel: I think refresh token is a must support feature and it is not about automatically renewing existing access token. Access token is stateless and won’t be stored in server side. The down side is it is valid forever! The longer of access token, more risk is imposed. But if access token is too short, then your users have to login quite often, that will greatly impact usability. That’s where refresh token comes in, the token used to refresh access token and it is a long live token. When access token expired, client can use refresh token to get a new access token, and that’s the only purpose of refresh token. Refresh token is revokable in case of user account has been compromised. And that’s the big difference between access token and refresh token. To revoke issued refresh token, server must store all issued refresh tokens. In other words, refresh token is stateful. Server needs to know which one is valid which one is invalid. To properly implement refresh token, we need some sort of token store to persist refresh token. We also need to implement at least three flows: Refresh token validation There are other management functionalities also nice to have such as token usage stats. Above is my current understanding regarding how to implement refresh token. It is not easy but it definitely necessary to build a more secure system. |
It turns out Feathers already built-in all functionalities/modules required to properly implement refresh-tokens:
Based on the work done by TheSinding (https://github.com/TheSinding/authentication-refresh-token), I implemented my own version of refresh-tokens with one custom service and three hooks (https://github.com/jackywxd/feathers-refresh-token) which enables basic refresh-tokens functionalities:
While fully leverage existing code base in Feathres, the actually coding effort is minimum, and it integrates with current Feathers architecture nicely. It proves that current Feathers architecture is very extendable. But a full feature of Refresh-token also requires support at Client side, such as store refresh-token in client side, reAuthenticate user after access-token expiration, logout user with refresh-token. After review the source code of feathers-authentication and authentication-client, I believe refresh-token could be tapped into existing Features code based to allow turning on refresh-token support as easy as turning on authentication. I already ported my hooks version refresh-token code base into @feathersjs/authentication. Next I would try to make change on authentication-client to enable client side features. My ultimate goal is to enable refresh-token support in both server and client side. |
My question/concern is how would the refresh token be stored in the client? See https://auth0.com/blog/securing-single-page-applications-with-refresh-token-rotation/
See this long discussion on cookie - feathersjs-ecosystem/authentication#132 too |
@bwgjoseph I would suggest to use regular express session, and store all tokens there, instead of client side. That's what I do and works perfectly fine with all types of apps including SPA |
@sarkistlt You mean to say to store all client JWT token on server-side? Any reference/article material for that? I'm not exactly sure how the process would be like. So what does client sent, when they request for data (CRUD)? |
@bwgjoseph same as always, cookie, just add middlewere before registerring your services: app.use('* | [or specific rout]', session(sess), (req, res, next) => {
req.feathers.session = req.session || {};
next();
}); then in your server, for let's say customer login service, when customer is authenticated, you just store token in the session like I'll just add that this works best for client (browser) - server applications. When communicating internally between servers, or worker/server, you don't need session. |
This has been discussed a lot before (I also added an entry to the FAQ) and it is not necessarily more secure to store a token in a session. If someone gets access to your page to be able to execute scripts they have also hijacked the session and can make authenticated requests anyway. Hence it is usually ok to store a token in e.g. localStorage (which only the current page has access to as well) and it also works seamlessly with other non-browser platforms (like native mobile apps, server-to-server etc.) and websockets (I can't stress enough how painful it is to make websockets work seamlessly and securely with HTTP cookies - my life has been a lot easier since we stopped trying to do so). In general, a refresh token should be revokable though since it is usually a lot more long lived. Either way, a pull request for this would be very welcome, I find it makes ironing out the details a lot easier. |
@jackywxd - Great job, took a brief look at it and it seems like some great additions. I think you should create a pull request and we could have the discussion there. |
@daffl yes agree, especially with WS. And if both client and backend build by you or your team, yes it's best to just use JWT and avoid extra dependancies and complexity in your application. |
But wouldn't that be the design decision and responsibility, of the maker of said storefront, to implement into their own API and then properly document this feature, instead of "forcing" this decision onto the community ? |
@TheSinding I think we can say 'forcing' about less commonly used approach, not about cookie which have been (and still is) most commonly used approach to manage user sessions. And yes it is a design decision made after developers feedback that have been using the API. When you are running multi-tenant system or API that used by multiple teams, sometime best is to follow general industry practice to avoid additional confusion and extra time spent by developers, especially if alternative solution doesn't provide any advantage for end user. Again to be clear, using JWT is great, and way easier to utilize especially for real time API and that's what we are using in 90% of cases + you don't need to run redis or something else to manage cookie sessions. |
I wasn't saying you were wrong, I was just thinking "out loud" :) IMO, I think the approach with JWT would be a better approach, since that is what is already supported and as @daffl it's also easier to work with |
Thanks for all your feedback! JWT vs session is a different topic we can discuss separately. I think one thing we all agree is that access token + refresh token is a much more secure solution than merely access token. It has been widely adopted by major Internet giants. It is fair to say the Feathers community would love to see Feathers main code base to provide built-in support for refresh token. Actually it surprised me when I first realized that Feathers doesn't support refresh token. I have been using AWS cognito in couple of my projects, AWS Amplify will save three tokens in localStorage: ID token, access token and refresh token, Amplify handles all the dirty-works related to token management, and provides couple APIs that enables easy and straight forward interface working with Cognito backend. I would like to see similar development experience with Feathers. |
@TheSinding Thanks for your previous great work! Because existing authentication is implemented as normal service, we could easily enable refresh-token support by extending the class and adding couple hooks:
Just like we turn on Authentication by using the CLI, we could offer the similar option in CLI for refresh-token support. developer can simply answer YES, the CLI then automatically creating a customer "refresh-tokens" service and update refresh-token related configurations in default config file. So it is like a turn-key solution for developers. |
@daffl David, thanks for creating Feathers! just wondering is there any "contributing guid", "coding guideline", "style guide" for Feathers? |
As I mentioned before, a PR with the implementation for refresh tokens (or even just some ideas) would be very welcome. I didn't get a chance yet to check out the linked repos and this discussion is getting quite long. Having it all up to date and in one place would make things a lot easier. Some important bullet points:
|
If someone is using refreshToken, we create a library that handles in frontend, accessToken and refreshToken like "sessions", too easy to use. Only need to pass the tokens and the library tries to obtain a new acessToken with refreshToken when will expire. Currently is used in Videsk. Repository: Front Auth Handler |
I saw this video about the risks related to JWT andrefresh tokens in SPA, it is really informative. |
We currently allow getting a new token by posting a valid auth token to
<loginEndpoint>/refresh
. Refresh tokens have a slightly different workflow as explained here:https://auth0.com/learn/refresh-tokens
The text was updated successfully, but these errors were encountered: