Answer the question
In order to leave comments, you need to log in
W
W
Wentixon2019-01-13 13:49:54
Wentixon, 2019-01-13 13:49:54
What's the point of a refresh token?
I don’t fully understand why refresh tokens are still needed.
Let's say an attacker stole an acess token from us, which lives for a very short time, say 15 minutes. Ok, he will be able to use it for a short time, and having a refresh token we will get a new access token. With this, everything is clear and logical.
But what happens if the attacker also steals the refresh token? And here I do not understand anything. First, why if he stole the access token, then he does not have the opportunity to steal the refresh token as well? Or are most attackers too stupid, when they see an access token they immediately drool and forget that they really need a refresh?
If an attacker steals a refresh token, he will also be able to use it until it expires, constantly getting a new pair. Everyone says that when a user logs in, the attacker's refresh token will become invalid. It turns out that we need to store it somewhere in the repository and delete it with each new login? Ok, then how not to log out on other devices when logging in if we need to delete all the refresh tokens?
In general, help me deal with this abracadabra;)
3 answer(s)
@Wentixon
Won't steal. The JWT can be non-httpOnly so that it can be read by the front end. Therefore, JWT can be stolen through an XSS hole. The refresh token must always be httpOnly and only the server can read it.
The second level of protection is that the JWT is placed on .example.com, while the refresh token is only placed on auth.example.com. Thus, even if any of your services (except for the authorization service) is compromised, the refresh token will remain protected, because will not be available to anyone except the authorization service.
Yes, this all implies that at least the refresh token needs to be stored protected from XSS, that is, definitely not in localStorage, but in cookies or something similar.
@uvelichitel
@Soloist
R
Roman Kitaev, 2019-01-13 @Wentixon
But what happens if the attacker also steals the refresh token?
Won't steal. The JWT can be non-httpOnly so that it can be read by the front end. Therefore, JWT can be stolen through an XSS hole. The refresh token must always be httpOnly and only the server can read it.
The second level of protection is that the JWT is placed on .example.com, while the refresh token is only placed on auth.example.com. Thus, even if any of your services (except for the authorization service) is compromised, the refresh token will remain protected, because will not be available to anyone except the authorization service.
Yes, this all implies that at least the refresh token needs to be stored protected from XSS, that is, definitely not in localStorage, but in cookies or something similar.
U
uvelichitel, 2019-01-13 @uvelichitel
Access token constantly walks along the wires, it is relatively easy to intercept it and therefore it is often changed. Refresh token is sent much less often, the second line of defense, deep rear.)) Is such simple logic not good? And then everything breaks...
I
Ivan Grigoriev, 2019-01-17 @Soloist
Here JavaScript.Ninja explains everything in detail. Specifically, at 13:30 he answers the question "What is the point of a refresh token?"
Similar questions
C
D
E
B
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question