I am using token based authentication (OAuth 2.0). If user is valid a token is generated successfully. All this is fine.
But there is Logout functionality. My question is not how to delete the token (its not possible).
But when I generated a token I had set an expiration time. Now if user wishes to logout all I am thinking to set the token expiration time to Date.now. So that if user tries to logon with the same token, he gets an access denied exception.
Something like this - https://api.facebook.com/restserver.php?method=auth.expireSession&format=json&access_token=<access_token>
Thanks.
Related
When the token is generated by sending a HTTP request to web API & the user has started working on the application that generated token is used in a particular session of the application. If during any HTTP request from the application to web API if JWT token expires WEB API won't return data. How is this situation handled in the application without any misbehavior or without troubling the user how that request will be continued?
And even if we generate a refresh token how to continue with the same HTTP request without troubling the user?
(If we store the generated token in the database then we know the token is valid but expired)
Try this :
Write backend refresh token API and allow an authenticated user to refresh their JWT token
In Frontend before requesting the API call decode the user's current JWT token and check whether it is expired or not.
https://www.npmjs.com/package/jwt-decode
If the token expired call the refresh token API before the actual request.
If you are using Angular or React library then there is a mechanism called HTTP_interceptor
https://www.bezkoder.com/angular-12-refresh-token/
https://www.bezkoder.com/react-refresh-token/
We also give a refresh token to the user along with the token, which has no claim and only has a username and a long expiration date. Every time the token expires, the security part of the applicationlooks at the refresh token and issues a new token for that username. You can manage the issuance of program tokens by setting the refresh token lifetime
Recently built JWT token using web API Core. Just need serious clarification below are the details
If User A is logged using browser tab A and request has been processed and token is generated. If User B is logged using browser tab B and request has been processed and token is generated. What will happen if i sent User A token to User B How to validate the token that this token is for this particular logged in user ?
I think you might be misunderstanding the way Authentication work generally.
In JWT Auth, 'logged in' simply means that the request you're making contains a valid Bearer token. This means that the user that sends a valid token is always the valid logged-in user and there is no need for any further validation.
If however, you need further information based on the Authenticated user, you can access that information from the HttpContext or the ClaimsPrincipal property in your controller named User.
For example,
string accessToken = await HttpContext.GetTokenAsync("Bearer", "access_token");
string userName = User.FindFirst(ClaimTypes.Name).Value;
NB: You must explicitly store claims that you'd love to retrieve from the User property.
I have been using Force.com Toolkit for .NET for long time. Recently one of a client has started complaining for session invalid issue. So I started digging up and found that I have to refresh token by calling TokenRefreshAsync for which I need to pass on refresh token which I get during authentication. But I am getting null refresh token from SF.
I have tried everything possible thing I found on the internet without any success. Perform requests on your behalf at any time (refresh_token, offline_access) is added in OAuth Scopes:
Refresh token expiry is set at 2 days:
This is the simple code I am using to authenticate:
var task = authClient.UsernamePasswordAsync(consumerKey, consumerSecret, username, password, callback);
task.Wait();
What am I missing here?
The Username-Password Oauth Flow does not provide a refresh token on Salesforce, regardless of scopes:
This OAuth authentication flow passes the user’s credentials back and forth. Use this authentication flow only when necessary. No refresh token is issued.
If you want a refresh token, you'll need to implement a different OAuth flow (preferable!), or eschew the refresh token and reauthenticate when your access token expires. The latter makes you vulnerable to credential and security token changes on the part of the authenticated user, however, which using a more suitable OAuth flow grants resilience against.
I am using web api and implemented default behavior for login i.e. endpoints using jwt authentication and now I am facing issue in invalidating or destroying jwt token as I want to implement logout functionality.
Can anyone suggest the logic for this situation how to deal with JWT tokens expiration?
Note: For login GrantResourceOwnerCredentials method is used as usual and it creates the token for authentication purpose.
Once you have issued your token it will be active until it expires.
If you need to perform a logout or 'invalidate' the token you will need to perform an extra step.
What you could do is store a SessionId (that is a guid) in the db on the User table. When a user logs in send the session id alongside the beader token. Store this session id in a cookie or in sessionStorage or whatever and send it up to the server with each request. Then you can have a filter applied globally to every action that checks the SessionId sent up from the client matches the SessionId stored in the database.
Then if you need to invalidate the token then store a new guid SessionId in the user table, when the next request comes it won't match and you can return a 401 response.
If you want to invalidate certain tokens, you need to store the tokens you give out in a database.
Then you check against those tokens when you validate the incoming token.
When you need to invalidate one, just delete it from the database.
When a user hits our other resources using their authorization bearer token, are we able to get his identity information from that in the back end c# library, without hitting our database again? We built the identity when crafting the token with the claims and such. I know the user name is in there, but I want some of the other items we added.