Am pretty new to Oauth2 and I wondering what should happen in a scenario where a user changes the username used to authorize a client.
Should all access tokens expire after change is successful requesting the client to a new access code?
or
The access tokens are to be updated with the new username by the authentication server?
In normal cases, username of a user and the unique ID of the user are different. If an access token is associated with the unique ID (not with username), you don't have to invalidate or update access tokens even if username is changed.
Otherwise, if you associate access tokens with username (not with the unique ID), when username is changed, you should invalidate access tokens or update access tokens with the new username.
The OAuth spec doesn't specify what should happen -- one the user passes authentication and gets a token, they have an active authorization "session" as long as that token is valid.
You can invalidate tokens, and authorization sessions, as you like, though. So as a matter of policy, if you want to invalidate their tokens when there's a change to the account, then you are free to do that.
Just remember to invalidate both access tokens and refresh tokens for the user, or else they might just use their refresh token to start over with a access token.
Related
I had a couple of followup questions in reference to the answer:
Does the user access token obtained using OAuth flow expire in a given time period by default? It does mention here that they never expire but wanted to confirm once.
Authorization codes required to get user access token expires in 10minutes after issuance. In such a scenario user will have to be redirected again?
If the user either uninstalls the application or revokes the token and say decides to reinstall the application later.
In this scenario is the user access token now different from what it was before the app reinstallation?
Correct, access tokens don't expire unless you have enabled token rotation.
Yes, in that case the user would have to be redirected again.
Yes, once a user uninstalls the app and the token is revoked, that token will never be useable again. When the same user re-installs the app a new access token is provided.
How to revoke the access token and refresh token of the user as an admin user? while using JWT in Oauth2. is it recommended to store token in Database ?
If you want to be able to revoke tokens, then there is no other way but to keep some data in the database. You can either keep the concrete tokens, and mark them as revoked until they're expired, or you can keep an entry with clientID/userID and a timestamp, and do not accept tokens issued to that client/user, before the given timestamp.
If you want to be able to revoke access tokens, then you have to remember that all APIs, which consume that token, will have to call that database to check if the token was revoked or not. It is usually easier to have short lived access tokens (15 or even 5 minutes), and only deal with revoking the refresh token, as the RT is only used in your Authorization Server.
So i read about how authentication is done using JWT, where we basically verify if the token is valid using a private key (assuming RSA is the algortihm). And if the token is valid, then the user is considered authenticated. And I also read about session authentication where we check if the user supplied session id (through cookie), exist in the session store (assuming mysql / redis is used to store session). If it exist, then the user is considered authenticated.
But how do we use JWT and session for authorization ? Lets consider an action such as GET invoice , whereby a user can only view the invoice that he owns.
If we consider the user is already authenticated,
how do we check if the user is authorized if we are using JWT?
And how do we do it for session ?
You are probably confusing the things. One of the benefits using JWT is to avoid maintaining sessions which is big bottle neck in scaling.
JWT (Json Web Token) carry all the information that would require it to get authenticated, you don't need to maintain the session. Every single HTTP request to server will carry JWT that would contain necessary user claims including the signature. On server you will validate the signature to verify if the token is valid or not. You can verify the token without maintaining any session and there are number of ways to do it.
Since JWT is essentially a Json object (Header, Body , Signature) , you can put in claims (emails, roles, profile etc) in JWT body. Once you verify the token , you can extract the claims including any roles and check if user is authorized to access the resource.
You must look into Open ID Connect and Tokens here
If I have a single page web application with a Laravel back end, my best option for authentication seems to be Passport with a Password Grant authentication flow. In Passport, this returns an access token and a refresh token.
For security, I would like to issue a short lived access token and refresh it when it expires. However, all the available information about using OAuth with a Javascript application says "don't make your refresh token accessible to the front end" because it's long-lived and can be used by others to generate new access tokens.
For example:
A Single-Page Application (normally implementing Implicit Flow) should
not ever receive a Refresh Token. A Refresh Token is essentially a
user credential that allows a user to remain authenticated
indefinitely. This sensitive information should be stored securely and
not exposed client-side in a browser.
Does this mean that a browser-based SPA cannot use refresh tokens and must, therefore, only issue access tokens that expire after a reasonable "session" length, forcing the user to log in again afterwards?
Otherwise, is there a suitable way to implement short-lifespan access tokens and refresh tokens in a Laravel Passport app with Password Grant authentication, while maintaining good security?
There is no harm in storing refresh token, as they can be used to get another access token after the access token(short lived as you mentioned) expires which create a good user experience.
I need a token( or key) to use in API request as bearer token.
The idea is to set it once for user and access resources without login.
I tried to use access_token for it, but max expiration time is 1 day.
So, I need a token:
- With expiration time >30 days
- which can uniquely identifies user
- Contains authentication data, like roles and groups
Any idea how it can be done with OKTA?
If you're using OAuth in conjunction with Okta, you can use a refresh_token (which can have a much longer expiration - including unlimited) to fetch a new access_token.
So, you wouldn't need end user (resource owner) interaction. But, when the access_token expires, you would need to fetch a new one using the refresh_token.