i agree

Because the refresh token is only sent on one specific call whereas the access token is sent on every call ☺️ the attack surface is very small. Of course, if an attacker manages to get a refresh token the only way to block him out is invalidating the refresh token in the database

@@thomasthaler7669 but if your network is unsecure anyway, then the men in the middle would just be stealing your new access token so whats the point?

@@gamemusicmeltingpot2192 So dont use authentication then?, whats YOUR point? That's user's responsability to not use unsecure networks

@@emloq like I said what's the point of using another token if the network itself is compromised. But never mind, since I have done the research after I posted that comment I have figured out the answers I needed

@@gamemusicmeltingpot2192 hi can u explain the soln u found pl

The question is what if refresh tokens get stolen?

you can add a flag in your token to make sure your user revalidates their token via email before doing anything sensitive like making a purchase.... the original token issued is set to 1. once the token is refreshed you will set the flag to 0. if the user tries to buy something with a token that has a 0 flag, you will make them revalidate with a fresh token from email.

Not quite. You see, the call itself to the endpoint should be encrypted through https anyway. The risk of the man in the middle is is small but of-course possible. The thing you have to be careful with refresh token is how you store them locally. As long as you are diligent on that, the chances of someone getting access to the refresh token are small. For example the JWT could be stored in a cookie. The refresh token should never be there. In this case cookie attack is what could steal the token and the refresh token if they are both stored in cookies.

@@nickchapsas where then should it be stored?

@@chineduekeneokpala3407 in LocalStorage or in the SessionStorage depending on the needs

@@mojekonto9287 Local storage is inherently no more secure than using cookies.

@@enonz761 when you store the refresh token in the cookie then it will fly in every request.. you don't want that of course. Another thing is that whatever you keep in local or session storage will only be sent in the request when your application explicitly adds it to the request. No other app in another tab will have access to your app's storage. What you stated, therefore, in this regard, is not true to me. If i am mistaken, let me know ;)

The MITM would have to intercept both the jwt token and the refresh token and then be faster than the legitimate user in providing the combination of the then expired jwt token and the refresh token to get a new a pair.

@@mojekonto9287 what if he did that?

refresh token is a false sense of security

@@kalideb-y3y not arguing but it’s better than nothing.

If you give an access token with a long life, then if that token is compromised, whoever has it will have access to your API for a very long time.

that's also what I'm thinking the guy on the video assume that a refresh token will not a target for a hacker 😂 refresh token is pointless

I don’t really agree with that. JWT is a specific type of token following the JWT standard. If it was just a format then and 3 Base64 strings separated by dots would be a JWT but that’s not really the case.

Nick Chapsas The purpose of the token is for access and hence the name access token. In this case the access token is in JWT standard. No?

I never disagreed with that you just said. I said that it's totally fine to call it a token type and also an access token following the JWT standard. They are both correct in my opinion. That's not necessarily correct is that in the diagram I specifically use JWT as my token type but instead of JWT i should simply write, "Access Token".

Nick Chapsas JWT is a token standard. It can be used for Access token as well as other types of tokens such as ID token. In your example, the token is specifically an access token, hence my view that calling it an Access token is more appropriate.

I think this is it: kzbin.info/www/bejne/d4aThXyFj816p9U

Since the token is stored in the local storage of the browser it is not prone to some sort of attack that can retrieve it. Also, if you’re using https, a man in the middle shouldn’t be able to access the request contents.

@@nickchapsas just for sake of simplicity,let say we are not using https for some reason Then what's the point for refresh token? If it will grant me longer access anyways It's whether http or https, If hacker/attacker somehow manage to obtain the refresh token, then he will go home, will set token manually in his browser, and walah Here I'm not trying to say that what you are trying to teach is wrong or spreading misleading information, I also learnt same thing when in my training But there is security concern, and I know that security is hard I may not experienced Developer as you are, but in my work experience I tried to improve the security by adding more information like device name and operating system name, etc But I'm still not satisfied, I hope there must be a way to ensure that stored informations in the browser is not hampered by users at client side or by the attackers

By requiring a refresh token as well to refresh it

@@nickchapsas But if I've access to your JWT why wouldn't I have access to your refresh token?

Well they would both be stored in the local storage of your browser. The danger is around man in the middle attacks when you have your jwt in the cookie or the header to authenticate/authorize yourself. The only scenario where you are fully exposed is if you have a man in the middle in a non SSL request when you are refreshing the token.

​@@nickchapsas Was more concerned about an XSS attack? Surely you should be pretty good with a JWT and HTTPS?

Sure but that means you would need a long lived JWT. How would you have a short lived (5-10 minutes) JWT and also be able to refresh that without a login screen or a refresh token?

???

@codedusting u gonna have to ask a more specific question that this ... I'd recommend posting what I typed into chat gpt and let it explain to you as well

Not exactly. On login you get a jwt and a refresh token. The refresh token is stored by both server and client and it’s put on the side for now. The jwt is only stored by the client and it’s sent as the auth header for any other requests. At this point there are two things you can do. 1: before you send any request check the expiration token on the jwt you’re about to send. If it’s in the past then use the stored refresh token and the jwt against the /refresh endpoint to get a new pair 2: don’t check if the jwt has expired and if the server replies with unauthorised then take your stored refresh token and try to refresh your jwt. If it succeed make the same call again. If not then fail the request

@@nickchapsas I would suggest 2 is the only way to go. Also, if the refresh token auth fails, generally you would ask the user to log in again at that point. That would generate the new refresh and access token. This also allows a bad user who somehow has the refresh token.. if it were invalidated on the server side.. to be forced to log in and likely fail the username/password login and not be able to make more API calls.

@@nickchapsas when the client needs to use the /refresh endpoint, why does the client need to send the refresh token AND the access token? Isn't it enough to send just the refresh token? What additional security or authentication does sending the expired access token provide?

@@mazonnozam They are stored on the server as a Map (Key/Value) so this way the server would check if the combination you send is a valid one and then change the access JWT , if the pair isn't valid , you would get an Unauthorized response and have to login with user/password to get a new pair.

And what did you achive by implementing blacklisting? Because, on each verification you will have to check against a data store whether the token is blacklisted. Where’s the difference between that approach and sessions? The whole point is missed in your case. Just make them shortlived.

@@OverG88 Yes but on big sites you can't keep all the session data in memory but you can keep a blacklist on memory easily.

@@biliyonnet And upon each request, you will have to check against an authentication server whether the token is blacklisted. If your auth. server goes down, everything goes down. The second thing, you can have a massive session storage in memory. If that's not enough, idle sessions can be stored on a disc. There's a ton of solutions for that.

great answer. Thanks!

As far as I know HTTPS will solve your man in the middle concerns. If you want extra protection, using a https proxy and an SSL certificate on your servers will give you a double layer against a man in the middle attack. Enforcing HTTPS traffic is the way to go these days.

When access token is expired.. client sends refresh token to get new access token. If refresh token is expired (or invalidated/removed by server), 401 response to THAT API request means client needs to put up login page again and require user to log in again. That will then generate new refresh token AND access token like any login does. On a Web/mobile UI, the refresh token can be associated with the "stay logged in" feature many apps/sites have. That is telling the app "this user wants to stay in.. so if access token is expired, use refresh token to get another access token without user knowing.. keeping them logged in". When you chose NOT to use a stay logged in feature, it is possible the login step returns a longer lived access token.. maybe 1 hour instead of 15 minutes for example, to better the user experience.

If the refresh token has expired (which would be after a long while) the best course is to have them log in again. That will return a new access and refresh token as a result of the password grant type

@@jackofalltrades8212 one of the best explanations i have read so far. 👍

@@techalbal Thank, you. Took me a while to learn all this, but I think I have it figured out. :)

@@jackofalltrades8212excellent explanation sir! Just brilliant!

I have the same question. I think only a fresh access token is received.

You don’t want to have such a thing as “pair of access and refresh token”. Also, you don’t want to store refresh token on server. You want to store a part of it (id) or its hash. When the access token expires, you send the refresh token. Refresh token can also be JWT. Then you validate refresh token against the secret key and check whether it’s id is present in servers database. If so, you issue a new access and refresh token, and replace an id of an old refresh token with the new id. Rinse and repeat. Refresh token exists only to issue a new access token. Issuing new refresh token too, limits attacking capabilities. Imagine that someone steals your access token. They will be able to access protected resources for some time. It’s important to keep JWT access token short lived since it cannot be invalidated immediately unless you implement blacklisting (but that kills the purpose of JWT) or change your private key. After some time (like 5 mins) they will have to obtain a new access token by sending a refresh token. If they neglect servers response which contains new refresh token.. boom! They are fucked! Their current access and refresh token are unusable.

@@OverG88 But that means that a new refresh token has to be issued every time a new access token is needed, right? If the user's access token is expired (or doesn't exist), they will use the refresh token to renew the tokens. So every time the access token expires, it won't be the only one to be renewed. The only way to avoid this would be to check the expiration date on the backend, and if it's nearly expiring, then issue a new one, else don't modify it. But that may seem like a security risk.

@@John-mj1kk you are absolutely right. I think this is called token rotation. Every time you call the refresh endpoint it serves you a new access and a new refresh token (invalidating the current one)

This is actually wrong. You don't need to go to the auth service to validate the token. The signature can be validated on the client side using a symmetric key or a certificate so there is no need for an auth service call at all.

hear hear

In OAuth, that's called ROPC or Resource Owner Password Credential and it's strongly recommended this is not used. This is the purpose of refresh tokens and access tokens, i.e. to securely sign a new access token without having to store (if even in memory) user credentials. I'm sure there are other opinions, so this is just my .02

Hell no! In case of XSS vulnerability, say goodbye to user credentials.

I don’t think I’m recommending the usage of refresh tokens at any point. I am only using SPAs as an example of to explain the flow.