New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Add refresh token support to Auth flow #2704
Conversation
Awesome job! There will need to be a lot of testing to make sure everything works as expected but if it all goes smoothly this will be a great step forward for mobile developers. Have you put any thought into also supporting refresh tokens for any of the OAuth providers? (Many of them already have refresh tokens, I think just the logic is required to use them), a good example being discord. |
As I see in code that all the providers are ending with jwt token at the end. |
@nyzm it depends on the provider. For the most part once the plugin framework rewrite is done and we can break each provider into it's own plugin (and convert over to passport.js) we can likely deal with refresh tokens then. I'm not terribly familiar with oauth itself but I figure it was least worth looking into. |
Thank you for this PR! I think we also have to write some lines in the documentation about this new feature https://github.com/strapi/strapi/blob/master/docs/3.x.x/guides/authentication.md |
If I login for the second time from the same agent, previous refreshToken still active. |
And when I register from with |
Hi Jim, There is a revoke api for refresh tokens. Clients should manage the refresh tokens. Since same OS same device will return the same agent we cannot really know which device the second login came from. Also refresh token should be revoked at logout. Which also requires client to send a revoke request. |
…to public role permission
Travis shows build fail for node 10.15 , it can be built successfully on my local with the same version of node and npm. |
@nyzm I've restarted the node 10 build, it might have just been a random error but we will see. Sometimes the linting messes up for no reason. 🤷♂️ |
Side note @nyzm if I might make a suggestion there should be an option to revoke all tokens for a user. It might be good to add a button in the adminUI. Just a thought 😄 |
might be useful maybe. but sounds like nice to have :) |
@nyzm not sure if this is just user error, I tried manually applying these changes to my current project (commit is here: canonn-science/CAPIv2-Strapi@2606219 ) Attempting to start strapi after modifications I get the following error in the console:
|
@lauriejim worked with @nyzm on slack, figured out the issue was it fails to start if graphQL is installed, removing graphQL and it worked fine. I'm guessing this has something to do with graphQL automatically generating schema stuff. Is there a way to exclude stuff from that? As this PR won't have a "findOne" option for a token |
Hi @nyzm Thank you for your work, right now I have a few security conserns about the auth flow you are proposing. We cannot verify who (mobile app / web app etc..) is requesting the refreshtoken. And we don't have the possibility to request an access token without a refresh token. To add refresh tokens in a secure way we need to work on building a more robust auth server. I recommend this read to get more info https://auth0.com/docs/tokens/refresh-token/current. |
@nyzm Do you plan to make any updates on this PR? We cannot merge it until the authentication flow isn't following the guidelines quoted by @alexandrebodin. |
Any updates on this PR? This will be an awesome feature |
@snaerth Not at all, we aren't focused on this feature. I cannot give you any due date for now. What's your use case? |
@Aurelsicoko I can’t speak for anyone else but for us the biggest use case is for a mobile client. Other options are not very practical or secure, like setting the expiration in a long time or storing the username and password |
Hello! |
Hi, In my case, the auth will be using firebase and apple signin, which will then request my backend. I was thinking on generating a refresh token and control the auth from the backend side once the first authentification is done from the mobile. |
5 Months then we have two Years since your comment here. What is your Roadmap about this Topic? |
@danielehrhardt sorry plans have changed. It's most likely going to be sometime between Q2-Q4 of this year. |
Will be eagerly waiting for this. |
My PR is a:
Main update on the:
Manual testing done on the following databases:
Description:
Using a refresh token to generate a new jwt access token. Mobile clients required to save both identifier and refresh token to be able to get a new access token.
user/me api will return tokens of the user (in case multiple mobile and desktop apps logged in)
Revoke api for deleting the specified token from database.
I think we will need a way to revoke the jwt tokens as well. which I havent think about yet. Its like log out from specified device.
Concerns:
Pitch in any concerns or ideas
Regards