Note: This article focuses on OAuth2 as described in rfc6749.
Hello everyone, recently I have been reading some discussions online about using access tokens (AT) and refresh tokens (RT) in a reasonable way. Some people say that implementing AT is enough, while others argue that RT is also necessary for security. In addition, there are questions about where to store AT and RT in the browser to ensure absolute safety.
Today, let's analyze each issue to see the truth behind it.
First and foremost, for those who are not familiar, an AT is a string (usually a JWT) that is used to represent a user's actions in a system. For example, when you log in to a system, it will return an AT to you, and you store that AT for subsequent API calls.
If websites are built in a server-rendered style, we can also use session cookies to represent the user's session. However, nowadays, with the rise of client-rendered websites using frameworks like React, Angular, Vue, etc., the use of AT and RT is very common.
On the other hand, an RT is a code used to obtain a new AT. Let's clarify why we need to use RT.
First, let's understand what authorization is. Usually, when building a website, user registration and login features are quite common. When you log in, you have to enter a username and password to verify your identity. The system confirms the information you enter is correct and returns an AT, which represents you with certain privileges in that system.
In OAuth, the authorization process is triggered when you click on the sign-up/login button using accounts from Google, Facebook, etc. The system will redirect you to a screen where you need to approve granting access to some of your information, such as email, name, date of birth, etc. At that moment, Google or Facebook will return an AT. Based on that, the other system can retrieve your information to confirm your identity.
In summary, authorization is the process of confirming an identity to obtain an AT, which can be used on behalf of the user to use the system.
Therefore, having an AT is almost equivalent to having an account in a system. Leaking an AT is very dangerous because an attacker can impersonate you and interact with the system without your knowledge. That's why an AT needs to be stored as securely as possible, or if not, its validity period should be minimized. For example, an AT can only be valid for 5 minutes, and after that, the user is required to log in again! If you choose that approach, it can be a terrible user experience :D.
One important thing to note is that an AT is usually a JWT (JSON Web Token). It is a standard for securely transmitting information between parties as a JSON object. This information is highly reliable because it is signed using secret keys and algorithms like HMAC, RSA, or ECDSA.
A JWT consists of three parts: the header, the payload, and the signature. The header contains basic information about the JWT, such as the signing algorithm and expiration time. The payload contains the actual data in the form of a base64-encoded JSON object. Lastly, the signature is a combination of the header and payload encrypted with the secret key and the specified algorithm.
To learn more about JWT, you can read Introduction to JSON Web Tokens.
Because the necessary information for transmission is contained in the payload, the system can identify the user's identity based on it.
For example, my payload might contain the following information:
{
"id" : 1,
"username": "hoaitx"
}
When sent to the system, it can read my ID and determine who I am.
One extremely important note is that the information in the payload is only base64-encoded, which means that from a JWT, I can extract information from the payload. Therefore, you need to be cautious when putting information into the payload before signing it. Make sure that sensitive information such as passwords or unnecessary personal data is not included.
When a JWT is sent to the server, it can easily determine if the signature part is valid. Any modification to the payload will result in a change in the signature as well. Moreover, an attacker will never know the secret key used to sign the modified content.
I wouldn't encourage everyone to implement RT or how to implement it. I know many systems that work well without implementing RT. Instead, I will point out some things to consider when using AT and RT.
There are a few reasons why AT should only exist for a short period of time, such as:
There are also a few reasons why RT is used, such as:
After understanding these reasons, we can see that introducing RT helps address some of the limitations when using only ATs. However, if an AT or RT is leaked, the risk will be high, right? And how should we store them? I will continue writing about it in the next section.
Continue reading Part 2: Why do we need Refresh Tokens? Do you know how to securely store Refresh Tokens and Access Tokens in the browser? Part 2.
5 profound lessons
Every product comes with stories. The success of others is an inspiration for many to follow. 5 lessons learned have changed me forever. How about you? Click now!
Subscribe to receive new article notifications
Hello, my name is Hoai - a developer who tells stories through writing ✍️ and creating products 🚀. With many years of programming experience, I have contributed to various products that bring value to users at my workplace as well as to myself. My hobbies include reading, writing, and researching... I created this blog with the mission of delivering quality articles to the readers of 2coffee.dev.Follow me through these channels LinkedIn, Facebook, Instagram, Telegram.
Comments (4)