While testing the security of one of our product, a web application, using the REST API of Firebase we got surprised when we realised that refresh-tokens never expire in the V3 of the Firebase impl...

I am implementing JWT in one of my node apps. I am wondering, if there is any definite format/ structure in which a refresh token should be generated? By definite format I mean whether a refresh ...

Following this procedure: https://learn.microsoft.com/en-us/graph/auth-v2-user I'm trying to get a refresh token from this microsoft end point: https://login.microsoftonline.com/{tenantId}/oauth2...

I have an Api and a mobile client. I am using refresh tokens as following: User provides credentials, Api returns back an access token and a refresh token. The refresh token is then saved with its...

Section 4.2 of the draft OAuth 2.0 protocol indicates that an authorization server can return both an access_token (which is used to authenticate oneself with a resource) as well as a refresh_token...

I'm trying to implement token refresh feature in angular 12 and .net core 5. this is my JWT service registration: startup.cs: services.AddAuthentication(options => { options.DefaultAuthenticat...

I'm trying to refresh the oauth2 token using ClientOAuth2.Token.refresh() but keep getting the error sometimes: {"error":"invalid_grant","error_description":"Session not active"} This is the reque...

I just stumbled upon an issue where I started sending too parallel refresh token requests to the backend server I built, which caused concurrency issues where there is a race condition in which all...

I am designing a new web application which requires an oAuth2 implementation. I've been reading up on oAuth2 Authorization Code flow with PKCE. That makes sense, it ensures that de client who is in...

Spring Boot 2 with Spring Security 5 can be configured to use an openID connect ID provider for authentication. I managed to setup up my project just by configuring Spring Security - that works fin...

I want to refresh my access token when it gets expired. I have implemented Authenticator as shown below: @Singleton class TokenAuthenticator( val authService: Lazy<AuthService>, private val...

I was reading the documentation on the Auth0 site regarding Refresh Tokens and SPA, and they state that SPA's should not use Refresh Tokens as they cannot be securely stored in a browser, and inste...

I have a policy that looks like this var retryPolicy = Policy .Handle<HttpRequestException>() .OrResult<HttpResponseMessage>(resp => resp.StatusCode == HttpStatusCode.Unauthorized)...

I'm using Laravel 6.7 and attempting to use Passport for user authentication. I'm able to create an access token for the user when they register. Here is the code: $user = User::create($input); $...

When using the OAuth 2.0 JWT Refresh token implementation I came across the issue that it's really difficult to implement a solid Refresh Strategy on the Web Browser Client Side. Multiple Tabs can ...

I create a realtime connection via SignalR From client(angular 9) and server(asp.net core 3.1) and Authorize hub by JWT Token such as below code : private createConnection() { this.hubConnection...

I am going to implement JWT authentication for several independent services. There will be auth.example.com and service1.example.com, service2.example.com etc. My assumptions: JWT can be kept in c...

I have added AddOpenIdConnect to the ConfigureServices method of my ASP.NET Core 3.1 Razor application. It works great until the token expires, then I get 401 responses from my IDP. I have seen an...

In the last few days I've been reading on Authentication with refresh and access tokens, but this is one thing I can't find the answer to. Let's say an expired access token is sent. Should the back...

I have a set of APIs purely for my own app, so I just have a simple API to create access token, when user provided the email and password /api/access_token (return access_token when email and passw...

I'm making calls to an external API and want to deal with the event that a call returns an Unauthorized HttpResponseMessage. When this happens I want to refresh the access token and make the call a...

I'm having some issues on requesting new refresh tokens in IdentityServer4. Sometime after authentication, I get an Unauthorized response from my API, ok, but when I try to request a new refresh to...

I am trying to implement a catch for 401 responses and tried obtaining a refresh token based on Angular 4 Interceptor retry requests after token refresh. I was trying to implement the same thing, b...

I have a client in keycloak (7.0.0) with given configuration - highlighted option "enables support for 'Client Credentials Grant'": When I obtain a token for that client (POST /auth/real...

I know that (when using the authorization code "Authorization code" in OAuth), the lifetime of an access-token should be short but the lifetime of a refresh token can be long. So I decide...