ASP.NET and JWT Refresh Tokens
Вставка
- Опубліковано 31 сер 2023
- Your JSON Web Token has expired. Do you have t go to the effort of entering your name and password again? Not if you have a refresh token.
Source code available at: github.com/JasperKent/WebApi-...
Topics include:
- Trading off security and convenience
- Synchronizing servers with ClockSkew
- Distinguishing the authentication server and the data server
- Storing refresh tokens on the database
- Returning a new JWT in exchange for and expired JWT and a refresh token
- Revoking a refresh token - Наука та технологія
![[柴犬ASMR]曼玉Manyu&小白Bai 毛发护理Spa asmr](http://i.ytimg.com/vi/0TsXQ7z2Dh4/mqdefault.jpg)
Do you use refresh tokens or just stick with JWTs? Let me know in the comments.
Server code available at: github.com/JasperKent/WebApi-Authentication
Remember to subscribe at ua-cam.com/channels/qWQzlUDdllnLmtgfSgYTCA.html
And if you liked the video, click the 👍.
Spent ages trying to find a decent video and glad I bumped into this one have subbed to your channel as well keep up the good work!
Great video!, maybe it's the only one that uses Logging, which I think is very important. Thanks a lot.
Thankyou for the tutorial! This is really useful for me
your videos are amazing, yet another time only after watching your video I truly get an understanding of how sth works
Great content! Thanks for sharing this awesome tutorial!
Awesome video ❤
High quality content, as usual. Very appreciated! Many thanks.
Very very nice!! Thank you so much!
Best tutorial!
I can't say thank you enough. You literally saved me. Thank you very much sir. I tried to watch so many tutorial but failed because they are not beginner friendly. But you explain everything from fundamental level so anyone could understand it.
I have a one question. Why did you choses to use Authentication Handler instead of updating the Authentication State provider and using it for accessing the login state.
The AuthenticationStateProvider is a whole video in itself, so I thought this was a better way to focus on the refresh tokens.
@@CodingTutorialsAreGo Thanks. waiting for it
Hi Jasper, again thanks for a high quality content video!!
I wonder, having the Clockskew within the gap of the Tiemespan defined in the validation parameters.
Wouldn’t it be appropriate to make the refresh token endpoint protected with Authorize attribute and documenting that the refresh token endpoint must be called within X seconds/minutes of time span in order to generate a new JWT?
So, instead of creating a logic for adding a column or attribute for Refresh Token in Users table, the clockskew is the key for refreshing a new JWT, thus the Authorize data annotation will do the work to validate the token.
Thanks again for your videos, they are very helpful 💯
I've never seen that done. I'm not sure the idea of requiring the client to refresh within a time limit is a very good idea. It would require the client software to be running a timer, which obviously wouldn't work if the client shutdown (which also would lose tokens in session storage, but not local storage). Even if the client did stay up it would mean unnecessary transmission and refreshes of tokens, when the client code decided to update but the user didn't, which would be a potential security compromise.
@@CodingTutorialsAreGo the scenario I am talking is exactly that. In which, the client code will pop up a modal with a timer that tells the user “hey, you have X seconds/minutes left to stay up in the session. Would you like to extend your session?”
And if the timer reaches to the 0 seconds, then it would automatically logs out the user.
This leads me to a second question. How to invalidate the JWT when the user logs out and the JWT is still valid? The client might erase the token from cookie or local storage but as you mentioned it could be stolen for example, a man in the middle attack.
Thanks Jasper!
@@diegomelgar2696 That's one of the key things about JWTs - they cannot be invalidated, whereas refresh tokens can. That's why we have JWTs with a short expiry and refresh tokens with a longer one.
I say they cannot be invalidated. You could make it so that the server holds a list of invalid JWTs which it rejects if they are used, but that's not the intended approach.
@@CodingTutorialsAreGo nice, thank you for your time and explanation Jasper!!
Great Video!
awesome, thanks for this great video
Just a question, what if same user logged in two different devices?
For example, a user logs in first device; it will update the RefreshToken column for that user in AspNetUsers table. On device 2 login, it will update the existing RefreshToken column value(it will replace the device 1 refresh token with device 2 refresh token) .So for device 1, how will refresh token work?
You would need to store multiple refresh tokens in the DB.
Thanks 👍
I have a question. When I have a MAUI app as the client, for example, what is the best practice for the refresh flow to maintain a high user experience? Because when the access token is invalid, it would take six calls until I have the data if the token needs to be refreshed. So, should the token be refreshed in the background if it’s expired to maintain a high UX? Regards
Just a question.
when we are calling refresh endpoint, did we need to update the expiry time of the refresh token?
It's up to you. If you update it, it will be more convenient for the user, but slightly less secure.
Thank you for the fruitful tutorial but i have one question why i need to pass the expired access token and active refresh token to the refresh endpoint so why i just send the active refresh token and then i check the users table for the passed refresh token and also check for expiration?
It's just a bit safer. A hacker would have to have stolen both.
@@CodingTutorialsAreGo Thank you for your clarification.
What version of asp core is that?
7
Thank you!