nikolis

nikolis

Authentication Strategy for token based authentication and Refresh tokens

Hello Fellas,

I need to wrap my head around a topic that I do not seem to see through.

I am developing a phoenix application which exposes a RestApi that is the primary mean of communication with the Client (an elm application), the phoenix app runs over https and all request are https request.

Right now my process for securing my API is simple, a user uppon login gets a jwt token with an hour expiration time, every time he is making a request a new token with an hour expiration time is issued, once he has not login for more than an hour the user is getting a 401 response from the next request to the server and is forced to re Log-in to to the application and so on.

But I have been looking about refresh tokens that you can provide to the user along with the access token and how you can store them in your database(Server side) and thus invalidate them once you see a user in risk. The primary benefit of that is explained to be that in the case of a Man in the middle attack the “man in the middle” can potentially aquire the users token and use the token to make request on his behalf.

My question at this point is simple. Does this risk really exist in the case of all communication happening through https ? Does it really make sense to have that kind of functionallity in the server when you do not have a fraud detections system meaning that if a user himself reports a hacked account your are not sure if the token is somehow systematically being aquired or if the credentials have been compromised and you would probably want to suspend the account completly ?

Thanks in advance !

Most Liked

krstfk

krstfk

Hi, an MITM attack is not what the refresh token aims to prevent. The risk it has to mitigate is an access token leaking to an attacker (by any mean, eg XSS).

The idea being that you set a short expiration time for the access token, and refresh it with the refresh token when it has expired. The refresh token needs to be stored in a secure fashion.

The refresh token is most useful when the resource server is not the authentication server. Say if your resource server (RS) is also the client of the authentication server (AS) but acts as a middleman between your client (JS app in browser) and the AS (eg uses redirect with a retrieve from code flow). Then the RS can send the (unsecured) client an access token and store (eg in session) a refresh token, and process most requests without querying the AS.

If you’re both the RS and the AS, and need to store each client’s data on the server, why not use plain old sessions? If invalidating all clients sessions when one is compromised is acceptable, then you can use the iat and nbf claims to further validate the token.

In general, I would look long and and hard at whether you need jwt based authentication in the first place ( I mean, if you’re the AS, the RS and the one serving the client, use sessions, it’s easier and it has less footgun).

Where Next?

Popular in Questions Top

Darmani72
If I have a post route which an argument: post /my_post_route/:my_param1, MyController.my_post_handler How would get the post params ...
New
gshaw
What is the idiomatic way of matching for not nil in Elixir? E.g., First way: defp halt_if_not_signed_in(conn, signed_in_account) when...
New
fireproofsocks
I’m working on defining a simple Ecto schema for a table (in PostGres), but I don’t see where I can define a column as NOT NULL. Conside...
New
tduccuong
Hi, is there any work on GUI with Elixir, that is similar to Electron/Javascript? My idea is to bundle Phoenix and BEAM into a single se...
New
Lily
In templates/appointment/index.html.eex: <%= for appointment <- @appointments do %> <tr> <td><%= appoi...
New
joeerl
Hello again - after a longish gap I’ve decided I really must dig into Elixir and see what’s been happening here - so I have a few questio...
New
RisingFromAshes
I’ve read in another post that it may be possible with a router helper - but I couldn’t find an appropriate one, and tbh, I’m still just ...
New
JDanielMartinez
Hi! May someone helps me, please! I have two apps into an umbrella project: the first one is Database, which manages queries, and the se...
New
hariharasudhan94
I would like to know what is the best IDE for elixir development?
New
PeterCarter
There are pre-rolled solutions for other frameworks that do work. However, Phoenix does not seem to have these. Have people had good expe...
New

Other popular topics Top

sorentwo
Hello! tl;dr Announcing Oban, an Ecto based job processing library with a focus on reliability and historical observability. After spen...
985 42920 311
New
AstonJ
Posting this to see if we can make things easier for people to get into Neovim. If you use Neovim and have a favourite distro please let ...
New
greenz1
I have a phoenix application from which a user can download multiple(5-6) files of size 1MB. I couldn’t find anything related to sending ...
New
Patoshizzle
After calling mix ecto.create I get this error: 17:00:32.162 [error] GenServer #PID<0.412.0> terminating ** (Postgrex.Error) FATAL...
New
JeremM34
Hello, how can I check the Phoenix version ? Thanks !
New
chrismccord
Phoenix 1.4.0 released Phoenix 1.4 is out! This release ships with exciting new features, most notably with HTTP2 support, improved deve...
688 30877 112
New
msaraiva
Surface is an experimental library built on top of Phoenix LiveView and its new LiveComponent API that aims to provide a more declarative...
564 43622 214
New
vonH
When I run the Plug and I recompile I wind up having to use Ctrl C to quit iex and start again. Witht the help of rlwrap I can use the cu...
New
fayddelight
I tried installing elixir 1.11.2 erlang 23.3.4 via asdf in my zsh shell. Enabled the versions locally and globally. When I list them ...
New
klo
Got a question about when to concat vs. prepending items to list then reversing to achieve appending. So i know lists boil down to [1 | ...
New

We're in Beta

About us Mission Statement