Refresh Tokens

[Mochnant]

I'm working on a standalone App, and using Flask-Security (thanks for maintaining it!) for a backend API.

It doesn't seem like Flask-Security supports Refresh Tokens, so I am in a position where I either need to have very long lived Authentication Tokens (not great) or ask the user for their password again (also not great).

Is there a preferred way to do this, or is there support possible? I could try writing up my own, but this is not something I'd want to do if I didn't have it (leaving it to the pros, and all that).

Also entirely possible I am totally confused, so feel free to point me in a different direction, if so.

Thanks!

[jwag956]

It is true that FS doesn't support the concept of refresh tokens - which is a 'oauth' concept. This sort of depends on what you are trying to do - if this is a web application - then I strongly recommend using session cookies - not auth tokens. If this is a script - then refresh tokens aren't really all that useful?

[Mochnant]

Thanks for the reply. I agree with what you've said. As it happens, though, it is neither a web app or a script, it is a standalone desktop executable (think non-mobile game). There may be a way to use sessions for this exe, I will look into what might be possible there.

The refresh token seemed like the recommended way to avoid storing password data and allowing short lived auth tokens.

Does this have any impact on your thinking, or do you still recommend sessions? Maybe a different way to ask it would be how auth tokens are expected to be used in FS? Short-lived only and then require the username/password to get a new one? Or as long lasting API keys that don't expire? I know FS supports both ways, just curious your thinking on my situation.

Thanks again!

[jwag956]

I don't pretend to me an expert here - but I would think that for a desktop app - you would use the local OS 'vault' - e.g. keychain on a mac to store (if the user allows) the credentials (user/pass) - then have your app generate a auth token that is valid say for a day - then once your app gets a 401 it gets the creds from the vault and re-authenticates getting a new auth token. Note that in FS passwords are basically 'revokable' - either by the user changing it or administratively.
A question is - what precisely are you worried about having a long-lived access token? Is the security posture of your app worth the hassle?
You could of course create your own 'refresh token' pretty easily (though FS doesn't support that out of the box). A bit hand-wavy - but basically:

• have an api 'get_refresh_token' that if authenticated calls user.get_auth_token() - this will return a signed, timestamped token. (yes it can be used to log in - if that's an issue - use itdangerous() directly).
• store that 'refresh' token.
• set SECURITY_TOKEN_MAX_AGE to be as long as you want your access token to live (15minutes?)
• when your app gets a 401 since the token expired - grab the 'refresh' token and have a view in your app that validates the refresh token (here you would have to use some internal FS logic) and generates a new auth_token and returns it.

I can go into more details if this is interesting.

[Mochnant]

You're 100% right that the ever lasting token is not really a major problem, and that should inform my direction. In fact, I expect the majority of users to go through Steam (or Epic) authentication, so this is really just for the edge cases (direct sales or DRM free release, perhaps?) and testing.

Your suggestion to store it in an OS keychain is an interesting one, though I hate to have to do something OS specific if I can avoid it. Worth me researching.

I really appreciate the suggestions for how to build my own. Great details. I may give it a try if I need to. It depends on how paranoid I get! :) I'm happy to hear more details if you want to share them, but please don't feel obligated. You've more than answered my question already!

Perhaps if you're looking for a new feature to explore the refresh token might be an idea., though.

Thank you again!