What is the best practice for refreshing JWT Tokens in Xamarin?
We use Jason Web Tokens to login to our API. The tokens expire after some time. As the user should not have to login every time the token expires, the Xamarin app should automatically refresh the tokens in the background. If anything is wrong - for instance the user changed his password on another device - the user should get navigated back to the login page.
Should we use the Task Parallel Library for this?
Related
Current situation
We have a very common system architecture with Spring Boot back-end and Angular front-end. For the mobile app we use Ionic, which basically uses same codebase as the front-end but adds additional features like biometrics etc.
User login is based on OAuth and access and refresh tokens are created once the user initiates the session. The access token has a short life span, where the refresh token is valid for a couple of days. As I said - very common auth flow.
What we want to achieve
Mobile app users should be able to login only once and then use the
app without the need to re-login every time the refresh token
expires.
For the "normal" front-end app refresh token expiration
policy should stay unchanged, meaning the user is forced to log in
again once the refresh token expires.
Possible solutions (from my perspective)
we pass an additional param to the login request specifying the client: web | mobile. If client is mobile refresh token validity is extended to expire in 1-2 years. Downside: this will break the whole idea of having tokens, that expire. I personally see this as a security issue.
we store credentials on mobile app local storage. Once we have session expiration, the app uses the credentials to re-authenticate. Downside: again I don't think this is a good idea having credentials stored on any device makes the flow vulnerable.
What I am looking for is kind of a best practice to solve this.
You are right, It's a security risk to have tokens that never expire or expire in a few years but they are used. Anyway, one thing you could do is to add a field in the refresh token endpoint that when you set it to true (defaults to false) it would also extend the lifespan of the refresh token. And you could periodically call that endpoint from your app. It should work even when It's in the background.
Or
If you wanna store the credentials in the local storage at least store them encrypted. You might need to create an endpoint that encrypts them because you should not have the private key in the mobile app. Then you'll probably need to create a custom authentication method that takes the encrypted credentials and compares them with the ones in the database.
I've put together the authentication flow for Tabs with the signin start page, end page and getting the token back from my Identity Provider (Cognito in this case)
Now I have this token. Initially, I figured I'd simply store it in localStorage and refer to it, but it seems that Teams clears the storage everytime you refresh a Tab.
As a result, my user gets the login flow again when they switch tabs.
How do you store the token (or ANY info for that matter) to access from all tabs? Or from chats? Bots?
How about Bots info if the token is obtained through the Bot OAuth card?
The examples are so unclear and not even close to the code given by the MS Teams Toolkit from VSCode...
Thanks everyone!
I am planning to use Facebook for user authentication in Xamarin forms.
I read that Facebook doesn't allow refresh tokens, so how to keep the session alive unless the user explicitly signs out.
I found a way to tackle this. The login can be validated using Web Authenticator.
https://learn.microsoft.com/en-us/xamarin/essentials/web-authenticator?tabs=android#using-webauthenticator
Once user is validated, generate a custom JWT/oAuth token and use this token for the authorization instead. Delete it when user explicitly signs out, so it will again follow normal validation process.
I've integrated Spring Security OAuth in my JAVA backend so that my mobile Android application (using the Facebook Login SDK) can benefit from Facebook Login. In the current flow, the APP uses Facebook Login SDK to fetch an access token from Android, and then passes to the JAVA/Spring backend. Then, another OAuth access token (specific to our backend) is issued and sent back to the application.
I wish I could automate the testing, in other words being able to generate fresh Facebook access tokens. And then test the whole stuff into the access to resources on my backend. My entry point is a Facebook access token.
I've failed in generated on-the-fly access tokens, then looked into never expiring tokens, I could hard-wire in my tests.
However, I've failed in generating never-expiring tokens : at best, changing a short-lived token to a long-lived token returns a token valid for 2 months only.
I've also tried https://www.facebook.com/dialog/oauth?client_id=xxxxxxxxxxxxxxx&redirect_uri=http://www.xxxx.com&granted_scopes=email,public_profile , but this only works when my cookies are available (only works from my web browser).
Also tried getting a device code, but I was stuck at the point where I had to "simulate" the user submitting the code into the web form.
Is there a known way to automate the testing ?
As #The1Fitz explained, "you cannot get a never expiring token anymore. You will need to make do with the maximum 2 month expiry date."
We're using Spring Social LinkedIn in a single page javascript app to authenticate a user. We're able to successfully authenticate against LinkedIn, but we're having trouble getting that to integrate with our javascript app. It actually breaks down into two issues:
Issue 1:
We're using one API key for a set or related apps - and we use a single sign-in process. We need a way to identifiy which app the user came from and to send them back to the right app after logging in. The problem we're having is LinkedIn only allows one redirect URL and I don't believe it can carry any parameters (that would probably be the solution if it's possible to carry a parameter like the identifier of the app they're in). Do you know of a way to conditionally redirect the person after login?
Issue 2:
When the user is authenticated, we store the user info in our database, but after that we need the log the user into our app and provide the user with a token. Is there a way after the LinkedIn authentication completes to trigger another call to the server to request the token?