While Creation of an OAUTH token i came across different methods to create Access Token and Refresh Token, while Access Token has life of 30 mins and Refresh Token has lifespan of 100 days, there is no way to regenerate refresh token without providing credentials again i.e Username and Password.
Is there any way to regenerate refresh token without using credentials?
below are the attached resources the i read:
OAuth 2.0 with Service Now
Below are the steps we can generate access_token and refresh_token
https://developer.servicenow.com/blog.do?p=/post/inbound-oauth-auth-code-grant-flow-part-1/
create an endpoint for client access
https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/security/task/t_CreateEndpointforExternalClients.html
Request parameters to get access_token and refresh_token
https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/security/reference/r_OAuthAPIRequestParameters.html
these are the response we are getting
https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/security/reference/r_OAuthAPIResponseParameters.html
There is not concept of regenerate token we can only do it buy increasing the token expiration time.
I believe you do not need username and password, just client ID and client secret is req'd to get the new access token
enter image description here
Related
I am working on an eCommerce Website and an App. We use SAP Hybris for OAuth 2.0.
To get an access token I send a Cliend ID, Client secret, Username and Password to the auth server.
Problem Example:
If I log in with the App first and then the Website, I won't be able to refresh my token in one of the sessions.
The token I receive from the server is pretty standard and looks like this:
{
"access_token":"9T7IziRSIM_QIqFtttM8rhf83zU",
"token_type":"bearer",
"refresh_token":"MztkOmh67gIEiMwX5sED-Rug51c",
"expires_in":43199,
"scope":"basic"
}
The only difference is that in the "Website Token" the expires_in would have a lower value than 43199 since it was requested after the "App Token".
Since both the access_token as well as the refresh_token are identical, the moment one of them expire and we try to fetch a new token the first session that does it will receive completely different credentials. As soon as the second session (which is now expired) tries to also refresh it's credentials the server will deny new credentials since the old credentials can be used only once to get new tokens.
Every 12 hours the tokens become expired and the first client to request a new token effectively logs out the other client by doing so.
Question:
What could I do to deal with this problem?
I was thinking it should be possible to send a unique ID to my request to generate a unique token. However I cannot find any information about this on the SAP Docs.
I want to disable the generated JWT token when the user logs out from the application and this needs to be done in back-end code. How can I disable the JSON Web Token (JWT) using the authentication server (SpringBoot)
Generally speaking, with JWTs you have an access token with a short duration (like 15 minutes) and a longer refresh token (30 days). You should store the refresh tokens that you've given out in a table and when the user logs out, flag the token as revoked and then when you give a new access token out, verify that the refresh token hasn't been revoked.
I am trying to implement Oauth2 with Jwt in my Application. One doubt I am having is why do I need to have lesser expiry time to access_token and a longer expiry time to refresh_token.
What I mean to say is I can have an access_token with a longer expiry time and I would protect access_token like I am protecting the refresh_token, there is no need to refresh_token only. Does that make sense?
So if I am ignoring refresh_token from my application, would I face any usability issue or security issue?
See RFC 6749:
1.5. Refresh Token
Refresh tokens are credentials used to obtain access tokens. Refresh
tokens are issued to the client by the authorization server and are
used to obtain a new access token when the current access token
becomes invalid or expires, or to obtain additional access tokens
with identical or narrower scope (access tokens may have a shorter
lifetime and fewer permissions than authorized by the resource
owner). Issuing a refresh token is optional at the discretion of the
authorization server. If the authorization server issues a refresh
token, it is included when issuing an access token (i.e., step (D) in
Figure 1).
A refresh token is a string representing the authorization granted to
the client by the resource owner. The string is usually opaque to
the client. The token denotes an identifier used to retrieve the
authorization information. Unlike access tokens, refresh tokens are
intended for use only with authorization servers and are never sent
to resource servers.
I need a token( or key) to use in API request as bearer token.
The idea is to set it once for user and access resources without login.
I tried to use access_token for it, but max expiration time is 1 day.
So, I need a token:
- With expiration time >30 days
- which can uniquely identifies user
- Contains authentication data, like roles and groups
Any idea how it can be done with OKTA?
If you're using OAuth in conjunction with Okta, you can use a refresh_token (which can have a much longer expiration - including unlimited) to fetch a new access_token.
So, you wouldn't need end user (resource owner) interaction. But, when the access_token expires, you would need to fetch a new one using the refresh_token.
I am quite new to JWT based authentication. And im quite confused about the refresh token mechanism. In my case, I have designed my application as,
1. User will login to the application, and when the login is successful then it will go to the authentication server and sign a jwt and will pass it to the client.
2. And then the client will store the refresh token and the short lived token in the local storage
3. Once the resource server is called the token will be sent through the header. and will get validated.
My question is, in which point should we request another token using the refresh token mechanism. Should we check whether the short lived token is invlaid before sending the request to the resource server. or should we get a new token once the validation fails in resource server? or is there any better way to handle this?
A Refresh Token is a special kind of token that can be used to obtain a renewed access token —that allows accessing a protected resource— at any time.
Although Access Tokens can be renewed at any time using Refresh Tokens, they should be renewed when old ones have expired, or when getting access to a new resource for the first time. Refresh Tokens never expire OR have very long expiration time.