What are Refresh Tokens?! and...How to Use Them Securely
Рет қаралды 43,573
Күн бұрынIn this video we will explore the concept of refresh tokens, learn how they compare to other token types, and understand how they let us balance security, usability, and privacy.
Check out the corresponding blog post to this video here:
auth0.com/blog/refresh-tokens...
Auth0 Token Best Practices doc:
auth0.com/docs/secure/tokens/...
Chapters:
00:00 Introduction
00:40 What is a Token?
02:04 What is a ID Token?
02:53 What is an Access Token?
04:56 What is a Refresh Token?
05:55 When to Use Refresh Tokens?
06:40 Authorization and Authentication Flows
08:50 Refresh Token Rotation
09:11 Keeping Refresh Tokens Secure
10:29 Refresh Token Rotation
11:38 Refresh Token Automatic Reuse Detection
14:52 Using Refresh Tokens to Balance Security, Convenience and Privacy
16:05 Locally Storing Your Refresh Tokens?!
17:54 Token Best Practices
18:50 Conclusion
Sign up for our monthly newsletter! a0.to/zeroindex
#security #authentication #developer
___________________________________________
Learn with Auth0 by Okta
Try Auth0 for free - a0.to/yt-signup
The Auth0 by Okta blog - a0.to/blog
___________________________________________
Follow Us on Social
Twitter - / oktadev
LinkedIn - / oktadev
@jesterflint9404 7 ай бұрын
This video has enough information to tell you "refresh tokens are very powerful" and they also tell you "auth0 takes measures to secure it" (which satisfies their goal I guess). The main difference between access tokens and refresh tokens is that the refresh tokens are stored in the database and the server can invalidate them at will. So, if a user changes password or the refresh token is compromised, the refresh token can be revoked and the bad actor loses access as soon as the access token expires.
@KulcsarRudolf 3 ай бұрын
Super clear, thank you for this awesome video! I feel smarter.
@marvellstudio9355 15 күн бұрын
One of the best video I have watched 👌❤ loved the way you explained
@twd2 11 ай бұрын
that's genius, you explained what I was working for it for three months,thanks bro❤!!!
@oktricio Жыл бұрын
Super clear and educational!
@luisvillar8320 10 ай бұрын
Thank you sir for making this video informative and fun to watch.
@SunnyHenry Жыл бұрын
Awesome and easy to understand! Thank You Very Much! I do have one question though, that I can't seem to find the answer to. For refresh token rotation, is it a sliding rotation? Meaning when I get a new refresh token is the expiration pushed back further than the initial expiration? Or is there a way to configure it to, regardless of how many refresh tokens I get, have a combined expiration of... let's say 30 days?
@OktaDev Жыл бұрын
Thanks for your question! Let us do some research and get back to you, please 🙏
@rahulganga3274 Жыл бұрын
Sir, thanks you very much ,I have been searching for long for this😂 ... From India 🇮🇳 ♥️
@tuanleanh440 Ай бұрын
Thank you, the video gives me the answer for how to secure refresh tokens.
@OktaDev Ай бұрын
Glad we could help!
@pawelbrzosko 7 ай бұрын
Great vid, informative and very entertaining. Well done, Sir!
@juanbolanos5939 Жыл бұрын
Thank you! It helped me a lot
@OktaDev Жыл бұрын
Glad to hear that!
@urodsky_monday Жыл бұрын
Great video! thank you!
@bobobobo-ki2fw Жыл бұрын
thank you for the content you are very knowledable. Mini tip that would help so much is to use tables charts eg for part about which auth flow ot use.
@user-rd4oo1jg5g 11 ай бұрын
Hi, I'm trying to understand since I'm building an app in Php and I have to use a rest service, I have the service to request a token that also returns the refresh token, ¿Should I request the token, store it in a database and every time I request the token, before checking if I have a valid one in the database based on the expiration date? ¿What would the refresh token be used for? Thanks for all
@jimkk159 Жыл бұрын
Awesome viedo! However, I wonder if the token family break the server stateless?
@omphemetsemafoko830 Жыл бұрын
Good explanation. Thanks. God bless you
@OktaDev Жыл бұрын
You are very welcome :)
@maneshipocrates2264 Жыл бұрын
Clearly explained. Thanks. But, but how can a beginner get an example of using Okta and spring boot 3 microservices?
@OktaDev Жыл бұрын
Thanks for your feedback. We don't have content on Spring Boot 3 yet but we'll keep that in mind as a topic to tackle.
@maneshipocrates2264 Жыл бұрын
@@OktaDev Thanks. But you know if there any major changes I should be aware of, in case I want to use Okta with a spring boot 3 application?
@mraible Жыл бұрын
I created a microservices architecture with Spring Boot 3 and Auth0 last week using JHipster. You can check out the video at kzbin.info/www/bejne/oaKWYoWriZl1rtk.
@maneshipocrates2264 Жыл бұрын
@@mraible Thanks.
@techytipsnow Жыл бұрын
It was a great session, easy to understand comparing with others
@sabuein Жыл бұрын
Thank you.
@OktaDev Жыл бұрын
You're welcome!
@marcioalexandremarcondes557 7 ай бұрын
Thanks!
@adelkedjour 2 ай бұрын
If both the access token and refresh token have expired at the same time (i.e., after 15 minutes), it presents a challenge because the client can no longer use the expired refresh token to obtain a new access token. In this case, the user would need to re-authenticate to obtain a new pair of tokens innit?
@OktaDev 2 ай бұрын
Yes, this is by design. You shouldn't configure your access token and refresh token lifetimes to be the same. If a 1-hour access token happens to coincide with a 30-day refresh token expiring, that is correct, and the intent is that the user has to log in again. Hope that helps!
@tamashercz 10 ай бұрын
Thought I was tripping when I saw the guy's beard starting to grow grey towards the end of the video lol.
@user-uz5iq6my2k 2 ай бұрын
What happens if a malicious person gets their hands on the refresh token, but the actual user doesn't make a request for quite some time? Wouldn't that let the malicious person misuse the long-lasting refresh token? While I do agree that rotating refresh tokens can enhance security, I'm curious about how this specific scenario would be managed.
@OktaDev 2 ай бұрын
Thanks for watching! If a refresh token issued to a public client is stolen, the attacker can impersonate the client and use the refresh token without being detected. It is also possible to bind refresh tokens to the public client instance using DPoP (oauth.net/2/dpop/) which can counter this attack. Confidential clients need to authenticate to the authorization server in order to use the refresh token, so the risk of stolen refresh tokens is lower for this type of client.
@techdiver6074 9 ай бұрын
Plain English. I understand now!!!
@cn5703 6 ай бұрын
What happens in 12:07, if the malicious user authenticated with the stolen refresh token before the legitimate user does? Wouldn't the melicious user then have a legit access token to impersonate the legit user?
@batru2515 5 ай бұрын
I am wondering too
@alimertc 5 ай бұрын
he would, for a short while. If a refresh token is used twice, all subsequent refresh tokens will be invalid. So both attacker and the legimate users would had to relogin. (Which attacker cant). Correct me if I am wrong.
@sub-harmonik 10 ай бұрын
the editing is a bit weird
@sridharyemparala4185 Жыл бұрын
What happens if refresh token was played by hacker before real user needs it? So the hacker gets the new 2nd access token. So silly 😂. The whole opened has a flaw! The persistence of the token should be on the SP side so not post them and stop. Not the IDP checking later. Which is pure useless
@mrj1997 Жыл бұрын
I see the whole flow bullshit, next years must be a much better way for doing this. current methods are so ridiculous
@abdulhaimohamed Жыл бұрын
i was just about to write the same comment, but think in it for 1 second, it does not depend on who uses it first it depends that it can be used once, otherwise, all is unauthenticated so if the hacker uses it first, when the real user tries ti use it again i=> all will be un authenticated and the real use can log in again with his credentials
@cn5703 6 ай бұрын
@@abdulhaimohamed ... but not before the malicious user steals all the legit user's data. It doesn't take long.
@whatsoever6863 7 ай бұрын
infromative, but it is visible that the man presenting the topic reads everything from behind camera, feels like he doesn't really know what he is talking about :)
@abdulhaimohamed Жыл бұрын
I JUST WANT TO SAY THAT I SPEND ABOUT 4-5 DAYS JUST SEARCHING WHY WE NEED REFRESH TOKEN, THANKS ALLAH FORR FIND THIS VIDEO AT THE END OF MY DAY AND THANKS YOU FOR THE PLAIN AND CLEAR UNDERSTANDABLE ANSWER , KINDLY THANK THIS GUY TOO MUCH AND PROVIDE ME BY HIS TWITTER IF HE HAS, THANK YOU
@OktaDev Жыл бұрын
Thanks for your kind feedback! We have shared it with Will :) You can find him on Twitter here: twitter.com/willjohnsonio
@abdulhaimohamed Жыл бұрын
@@OktaDev Thank you for your time and effort🌺
@WillJohnsonio Жыл бұрын
Thank you
Jason Derulo
Рет қаралды 24 МЛН
Diana Belitskay
Рет қаралды 20 МЛН
TechWorld with Nana
Рет қаралды 416 М.
Ulbi TV
Рет қаралды 503 М.
Patrick God
Рет қаралды 98 М.
MaxxPC
Рет қаралды 776 М.