Store refresh token in database

By using our site, you acknowledge that you have read and understand our Cookie PolicyPrivacy Policyand our Terms of Service. The dark mode beta is finally here. Change your preferences any time. Stack Overflow for Teams is a private, secure spot for you and your coworkers to find and share information.

I am researching for a while about storing refresh token however i am not satisfied with the information i found. I would like to know how do you store your refresh token? Some people use to store them in a database, or cache like Redis however i think due to nature of JWT it should be stateless. But i couldn't find any other solution, i don't want to store it on device storage, because it might cause critical security leak.

Could you share what your thoughts are? I guess it depends on what you are trying to accomplish or how the tokens are created. I found the database to be a great place to store refresh tokens. Because the token is more like a password and it's easier to keep its relationship to the user when stored in the database. Also it doesn't matter what device the user is using you can always access the token from the database.

store refresh token in database

For other methods you can easily loose the token when the cache or cookies are cleared. If you store them to the device a user may switch devices. Only hit the database for a refresh token when creating a new expiring token. Learn more. How to store refresh token? Asked 1 year, 1 month ago. Active 1 year, 1 month ago. Viewed 1k times.

Thank you for your answers. Halil Irmak Halil Irmak 3 3 silver badges 16 16 bronze badges. Active Oldest Votes. Kubwimana Adrien Kubwimana Adrien 5 5 silver badges 9 9 bronze badges. Thank you for your answer, i think if you use database there is no need for access - refresh token mechanism, because you have additional layer which you can control. By saying that i mean, you can check database if token exists and valid, also by deleting the token from database, you are invaliding the token since we are relying on database.GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.

When I need remember the refresh token after close the browser is secure work with localStorage too?

store refresh token in database

Thank you. You can put that into localStorage, sure. But you might want your user to login each time the start the browser, no? I want to login onetime obtain an access token and refresh token both save into probable localStorage and then after close browser and again open check localstorage to use refresh token for obtain new access token without repeatedly login.

Is it correct scenario? Also, refresh tokens aren't designed for JS based clients. I'd suggest using a long-lived reference token for you JS based apps. You recommend don't use refresh token in SPA? What does mean with long-lived reference token? Instead of refresh token I have to redirect to login or how can I renew access token without refresh token without login?

I have started to studying library: oidc-token-manager. How does renew attribute in configuration work? Another approach is Then you write an OwinMiddleware that read the cookie and add access token in the request.

On the other hand cookie is not mobile friendly. The best option is to protect against both as described here. Store your tokens in http-only cookies and use a suitable targeted csrf defence as suggested here.

And now your server will have access to the access token?

store refresh token in database

What if you're using a CDN -- do you want your user's tokens exposed to a third party? This seems to contradict the advice given by owasp Do not store session identifiers in local storage as the data is always accesible by JavaScript. Cookies can mitigate this risk using the httpOnly flag.How and where to securely store tokens used in token-based authentication depends on the type of app you are using.

The application server use the tokens to call APIs on behalf of the user. Securing single page apps SPAs comes with its own set of concerns. You'll need to ensure that tokens and other sensitive data are not vulnerable to cross-site scripting and can't be read by malicious JavaScript.

Browser local storage or session storage is not a secure place to store sensitive information. Any data stored there:. If an attacker steals a token, they can gain access to and make requests to your API.

If you have a single-page app SPA with no corresponding backend server, your SPA should request new tokens on login and store them in memory without any persistence. Store Tokens Talk to Sales. Regular web apps. Single-page apps. Don't store tokens in local storage. Using cookies. If a backend is present. If no backend is present. Keep reading. Was this article helpful? Yes No. Any suggestion or typo? Edit on GitHub.QuickBooks Online. QuickBooks Payment.

QuickBooks Desktop. Support Topics. Brad Smith asked a question. According to the oAuth2 playground, the refresh token should be good for days from time of creation, but seems to be timing out instead in about 24hrs. Is this just a sandbox issue? We're not reusing tokens, btw. In QBO, we call them the refresh token and the access token.

The access token is used to make API calls. For example, if you want to create an invoice for a company, you will need to have the access token in your Authorization header. However, access token is always short-lived.

Each access token can only be valid for an hour after its creation. That is what refresh token used for. It is used to request a new access token after access token expired, so you can still access to the QBO company after an hour. In QuickBooks Online OAuth 2 protocol, it is not the access token you should store, it is the refreshToken you need to store in your database.

Once it is changed, the previous refreshToken will no longer be valid. Potentially causing a request being blocked by QBO. Each time the app makes a call to QBO? Based on our research, most users won't use an app for more than one hour.

store refresh token in database

Therefore, we design our access token to be valid for one hour. However, if the user does use the app for a longer time, you will need to update the access token again.

Does it return a error back to the app per the documentation? As I have mentioned, the Access token is only valid for one hour and the refresh token is valid for days. When the access token expired, QBO will return a " unauthorized" message back to the app as documented.By using our site, you acknowledge that you have read and understand our Cookie PolicyPrivacy Policyand our Terms of Service. The dark mode beta is finally here.

Change your preferences any time. Stack Overflow for Teams is a private, secure spot for you and your coworkers to find and share information. I'm trying to add authentication feature to my application. The authentication server implements oauth 2. The user won't need to re-login again. You are correct with the attack that you describe.

Refresh tokens have to be stored securely in order to be used as intended. As I understand, you are building a standalone application. Therefore, you can rely on file system security to prevent a refresh token being copied by an unauthorized user.

You may want to use encryption for the refresh token, too, but the key would need to be bound to a user's session at your local machine otherwise, the user would need to provide it during "sign in" process in order for the application to decrypt the refresh token.

So, unless user has your id,secret combination he can't do much about it. However, storage of refresh token must be considered very seriously.

Whenever you use refresh token to obtain access token reset the refresh token as well.

[009] Spring boot 2 Spring Security oAuth2 Auth server on MySQL JBDC Token Store- Microservices

You are right about your concern - you should not save the refresh token. By doing so, you jeopardize your client's data and you know the reason; you wrote it in the question. You should keep the refresh token in-memory. Learn more. How to save refresh tokens? Ask Question. Asked 7 years, 3 months ago. Active 5 months ago. Viewed 28k times. Bill Yan Bill Yan 2, 3 3 gold badges 22 22 silver badges 34 34 bronze badges.

Active Oldest Votes. Jonas G. Drange 8, 2 2 gold badges 24 24 silver badges 36 36 bronze badges. Please take a look here developers. When I used that code to create storage, it simply created a plain JSON file containing all of the information.

One of the advantages of this class oauth2client. Storage is that it is supposedly thread-safe. However, no encryption is being used here, so I am torn.

Google recommends using their libraries whenever possible to avoid "screwing things up". However, that Storage class is not doing much.

Just don't use refresh tokens and use just access tokens with invalidation using some kind of black-list Here's my two cents: Store your tokens in a DB Whenever you use refresh token to obtain access token reset the refresh token as well. Sudip Bhandari Sudip Bhandari 1, 18 18 silver badges 20 20 bronze badges. I'm late to the party here, but doesn't your second "cent" defeat the entire purpose of the refresh token?

Resetting the refresh token would require the user to re-authenticate.Comment 0. Get your free copy for more insightful articles, industry statistics, and more! To authorize access to those APIs, a request must include some kind of access token or key. This article focuses on security best practices for access token management — for API providers and application developers alike. When dealing with security, a single rule prevails: trust no one. If you're an API provider, you can't trust that the application invoking the APIs is the one you expect, that the token you received has not been stolen, or that the communication between client and the server has not been intercepted.

On the client-side, you can't trust that the application will not be decompiled exposing embedded secretsthat the application storage will not be compromised through an XSS attack, or that your users are not being fooled into submitting forged requests. This implies that you must put into place proper measures to securely obtain, store, and manage the security tokens required to invoke backend APIs. Additionally, you may think your APIs are safe if you have never publicly advertised them.

However, if they can be used from a mobile application, they are on the public internet, and thus public. Any API exposed outside your enterprise network must be considered public. When it comes to using an API, you are usually offered two choices: pass a static piece of information together with the API call or obtain that piece of information dynamically prior to invoking the API.

This piece of information is usually an access token or API key. BasicAuth is still used for some APIs for legacy reasons but is deprecated as a mainstream solution.

As per usual with security measures, the induced risk is the key factor to take into account. While using an API key is easier for the developer, it does not give the same level of security as an access token obtained with two-factor user authentication and the proper identification of the client application.

The API provider can define scopes to limit the access to certain operations you can GET a catalog entry, but you can't PUT a new catalog entry, even with a valid token. The OAuth terminology can sometimes be confusing. In the table below, we present a mapping from practical, development focused terminology to OAuth terminology.

An application entirely running on the client-side or on a device that cannot safely store an application secret. The OAuth server is in charge of processing the OAuth token management requests authorize access, issue tokens, revoke tokens. OAuth does not mandate the access token format, and as such, depending on the OAuth server implementation, the access token could be opaque typically a long string carrying no information or a JSON web token JWT.

The key advantage with JWTs is the ability to contain claims, or information about the user, which the backend services can use to make business logic decisions.By using our site, you acknowledge that you have read and understand our Cookie PolicyPrivacy Policyand our Terms of Service. Information Security Stack Exchange is a question and answer site for information security professionals. It only takes a minute to sign up. I'm protecting these endpoints by requiring the user to have a valid access token in order to obtain said resources.

The end point essentially checks the incoming credentials to ensure that the user exists in my User store. If they do, I'll return an access and refresh token.

Otherwise, an error message to be handled client side. Now, assume that the user has logged in and tries accessing a private resource from another end point secured by requiring an access token. The client will make a request and the protected end point will return some error message stating they do not have an access token. The client will then attempt to generate a new access token using the refresh token obtained on login:.

Refresh Tokens: When to Use Them and How They Interact with JWTs

Hitting the above resource will generate a new access token with some defined expiration time. This is my current flow. My question is, how should I store refresh tokens to ensure they are being accessed by the authenticated user? Should I have some additional logic in my login requests which store the generated refresh token to that specific user?

Subscribe to RSS

If so, should I then generate a new refresh token and overwrite the existing refresh token attached to the user each time the client tries to refresh their access token?

At present, I feel my process can be compromised if an attacker manages to obtain the refresh token. The point of having access tokens is that they can be used without checking for invalidation.

You can have frontend servers users can access with the token without the need to ever ask some database if it is invalid. But after some time, the token expires. The user needs a new access token, sends her refresh token and this refresh token is checked in some database.

You never need to check for expired access tokens or have any state, but limit abuse to the lifetime of the token. If you don't have the requirement to accept the tokens without checking expiration in a database, you don't need the two different tokens. You can just use the refresh token for each access.

User accesses the service using the access token. Service only checks signature and lifetime. No database connection. You can replace the refresh token on each refresh, but remember that you need to store all expired refresh tokens until their lifetime is over.


Leave a Reply

Your email address will not be published. Required fields are marked *