Reputation: 5067
SPA with refresh tokens stored in cookie - how to configure with IdentityServer4?
I have an SPA which communicates with an API using a long-lived self-contained JWT for auth.
The SPA is currently storing this JWT in Local Storage.
Apart from this being pretty bad from a security standpoint, the other major problem with is that I have way of revoking access to the API (which btw, needs to remain stateless). One a user has a token, they can use it indefinitely.
I'd like to start using refresh tokens. I know these are typically not recommended for SPAs, however after reading The Ultimate Guide to handling JWTs on frontend clients I believe there is a way to do this securely.
What I would like:
- When user logs in (password grant) the server responds with a short-life access_token ONLY, but sets a HttpOnly cookie with the refresh token.
- The client stores the access_token in memory, and uses it when making API requests.
- When the access_token is near expiry, I'd make a request to the auth server to refresh the token. Because a cookie was set by the auth server, it would be automatically included in the request. The server responds with an updated access_token which we store in memory.
- If the user navigates away from the SPA and returns later, we can simply make a request to the auth server to refresh the token, which gives us a brand new one (no need to store anything in local storage).
This would seem to be about the most secure option, minimising both XRSF and CSRF:
- If somebody manages to inject some code into the SPA and steals an access_token, it expires after 5 minutes anyway. The injected code never gets access to the refresh_token.
- You can't trick a user into making CSRF API requests because you don't have the access_token (the access token effectively serves as a CSRF token).
- If somebody did somehow manage to get access to the refresh_token, it can be revoked on the auth server.
If this method is as full proof as I think it is (prove me wrong, please!), why is it seldom mentioned online?
The IdentityServer4 docs don't seem to cover this. Can anybody suggest how it might be implemented? I hoped that there might be a property I could set on in the Client config along the lines of UseCookiesForRefresh, but no.
Upvotes: 3
Views: 1595
Answers (1)
Reputation: 9113
You can use ReferenceToken type instead of Jwt Token to revoke the tokens whenever the user's session is ended (or logout). Reference Token
You need to change the AccessTokenType in Client configuration
new Client
{
ClientName = "OAuth Test",
ClientId = "TestClientId",
AllowedGrantTypes = GrantTypes.Hybrid,
AccessTokenLifetime = 300,
AllowOfflineAccess = true,
AccessTokenType = AccessTokenType.Reference,
......
}
When the user logs out, you can use the following lines to revoke all tokens generated within that session.
await _interaction.RevokeTokensForCurrentSessionAsync();
Upvotes: 1
Related Questions
- Getting IS4 to issue refresh tokens
- IdentityServer4 - Using Refresh Tokens after following the Quickstart for Hybrid MVC
- ASP.NET Core 5 + IdentityServer4 doesn't send refresh token
- Refresh token for IdentityServer4
- Using .NET Core Identity and need to refresh token
- IdentityServer4 - Refresh Tokens Hybrid Flow - Cookies and storage
- Refresh Token and Access Token from Identity Server4
- Refreshing access tokens in IdentityServer4 clients
- IdentityServer4 client - Refreshing access tokens on CookieAuthenticationEvents
- How to request a refresh token with identityserver4