Only refresh tokens should be allowed to reauthenticate #253
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Scope of changes
Adds another audience to refresh tokens that identifies them as refresh tokens and verifies them in the Refresh handler.
The basic fix is as follows, the
aud
claim in a JWT token can have multiple items. Access tokens have the audience claim[https://api.rotational.app]
but refresh tokens now have the audience claim[https://api.rotational.app, https://auth.rotational.app/v1/refresh]
. This means that the refresh tokens go through two checks; one that the audience claimhttps://api.rotational.app
is good and then thathttps://auth.rotational.app/v1/refresh
is in the token.I've added a test that shows that valid access tokens are rejected since they don't have this audience.
Fixes SC-13078
Type of change
Acceptance criteria
I'm worried about the security of this model. Should we add a check that requires the access token, possibly expired be in the Authorization header then match the IDs of the two claims before we refresh?
I kind of feel like we should; particularly if we put the access token in a Cookie that is http only and secure.
@masskoder @pdamodaran any thoughts on this?
Author checklist
Reviewer(s) checklist