kccarter

kccarter

If a LiveView needs to refresh a JWT, how can you "push" the new tokens back up to the client without a full page refresh?

A lot has been posted and written about auth, JWTs and LiveView but there’s still one part that we’re struggling to understand. If you have to refresh a token while the user is visiting your LiveView page, how do you send the newly refreshed token back to the client?

We’re using Auth0 and JWTs to authenticate users. Auth0 calls back to our Phoenix app, we do the token handshake and are left with an id_token, access_token and refresh_token which we store in connection’s session-cookie.

We follow the practice of “double authentication” in our LiveViews by first authenticating the HTTP request in a Plug, and then again in the mount call.

The act of authenticating involves checking for the presence of the appropriate tokens and checking that they have not expired. Tokens are passed from the connection to the LiveView in mount.

Our LiveView page is like a dashboard / monitoring page, so it’s reasonable to assume the user might leave it open and running for a long time. Periodically, the user might perform an action on that page which is handled like any LiveView action would be with the addition that we, again, validate the user’s token to ensure it hasn’t expired and that the appropriate permissions are present.

But here’s the problem: If a token has expired, then we want to silently refresh it for the user. We’re able to do so because we have the refresh_token. However, after refreshing the token with Auth0, we now have new tokens (and a new refresh_token) but no way to “push” those new tokens back up to the client such that they are saved to cookies for the next HTTP request.

Our understanding is that we need to perform a full page refresh to update the cookie, which kind of defeats the purpose of short-lived tokens that can silently be refreshed.

We’re trying to get away from using a “session_id” in our cookie and then needing a database lookup to fetch the JWTs.

Just curious if there’s something we’ve overlooked in LiveView that would allow us to silently refresh these tokens without having to reload the LiveView page.

First Post!

tangui

tangui

Not sure to understand how you use these tokens and what you intend to achieve.

In OIDC:

  • the ID token is used to open a session on the RP (your site) from the OP (OpenID Provider - Auth0 in your case). Open a session generally means setting a local cookie on your site. Note that there’s no correlation between the tokens you received and your session lifetime
  • the access token is meant to access external third-party API, and the refresh token to get new access tokens

Are you accessing external API ? If not, why do you need these tokens at all? Storing refresh tokens in cookies seems insecure IMO.

I have the feeling that what you want to do is to synchronize the session at Auth0 with your app, that is kind of Auth0-initiated logout. If so, there’s no easy response as there are at least 3 OpenID standards for that - all being unsatisfying in subtle ways :smiley: But you might not need it.

Where Next?

Popular in Questions Top

sen
Hi All, I set a environment variables in dev.exs , like below code. when i start server, how can i set the ${enable} value? thanks. d...
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New
Kurisu
For example for a current url like http://localhost:4000/cosmetic/products?_utf8=✓&query=perfume&page=2, I would like to get: ...
New
jerry
Good day to you all. I have been struggling to get a query involving like and ilike to work. Can anyone assist me on this, please? pro...
New
LegitStack
I’m trying to make a websocket server in Phoenix or raw Elixir. I heard about gun, I think I could use cowboy, but since I’m not that sma...
New
Qqwy
Original source of discussion: This topic on the Pragmatic Programmers’ Functional Web Development with Elixir, OTP, and Phoenix forum. ...
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
sergio_101
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
Brian
What is the proper way to load a module from a file in to IEX? In the python world, doing something like this pretty standard: from ....
New
dokuzbir
I want to highlight html closing tags when i click a html tag. That works in .html files but doesnt work for html.eex templates. How can...
New

Other popular topics Top

vertexbuffer
Hello, can anybody help here..? I have a list of players and I what to delete an element, but every for loop the list is reverting to ori...
New
Nvim
Anybody knows a comprehensive comparison of Django and Phoenix, thanks for the help. Where are they similar? Where do they differ the m...
New
JeremM34
Hello, how can I check the Phoenix version ? Thanks !
New
shahryarjb
Hello, I have map which I want to convert it to string like this: the map: %{last_name: "tavakkoli", name: "shahryar"} the string I ne...
New
stefanluptak
Hello everybody, usually, I use a 29" ultra-wide monitor for VSCode which can easily accomodate explorer (files panel) + file with code ...
New
fireproofsocks
Forgive me if this is obvious, but how does one delete a database record WITHOUT selecting it first? Ecto.Repo — Ecto v3.14.0 has exampl...
New
belgoros
I’m not a pro in using Regex and can’t figure out why the following behaviour happens, especially if we take into account the difference ...
New
saif
Hello everyone, Long time lurker first time poster here. I’ve recently begun working on Elixir full-time again! :raised_hands: It’s been...
New
boundedvariable
I am going through the kafka architecture. All the features what the kafka is providing are already in Erlang. I would like hear your opi...
New
rms.mrcs
Hi, I need to transform a list of numbers into a map where the keys are the indexes and the values are the original values of the list. ...
New

We're in Beta

About us Mission Statement