Saturday, March 31, 2018

AngularJS token authentication with sliding expiration in state transitions with ui-router version 1.x

Leave a Comment

In our application we have a requirement that user should be logged in for a certain amount of time which is configurable by system admin, say 10 minutes. We have another requirement that the when user navigates to different parts of the app, this time should be refreshed and set back to that configured amount.

Our application is written in AngularJS and we use ui-router for routing, So when user navigates between different states, time to be logged out gets updated.

The back-end is written with .NET and we use jwt tokens for authentication, Token has a field named expiration. In the beginning of each request we check if the token is not expired.

I have a problem that I don't know how to tell the server that it should update the token expiration time, I am using ui-router version 1 and it has some hooks for doing server side things before state transitions, I ended up with something like this:

  $transitions.onBefore({       to: "*"   }, function(trans) {            // update the client ui, and also tell the server to update      // the timeout in the serverside and database       return authService.refreshToken();   }); 

But I am uncertain about this approach being correct, I couldn't find a good solutions for such problem in a REST architecture, I would be very grateful if you could tell me the pros and cons of this method or point me to the right implmentation

2 Answers

Answers 1

THEORY

As far as I can see, JWT standards doesn't really tell about refresh. (https://tools.ietf.org/rfc/rfc7519.txt)

If I well understand your problem, you want somebody's token to be renewed automatically after X minutes of inactivity. I guess this approach you want is a sliding sessions.

You can see a good article about it there: https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/

The best practice in such case is not to extend the life of the token but to request a new one. You will find many articles and conventions talking about it. For security reasons, the shorter it is, the most secure it is.

Even if it is written for oauth, Here is a really good article listing different ways of token management : https://www.oauth.com/oauth2-servers/access-tokens/access-token-lifetime/


USE CASE

In your API, i would provide a refreshToken that permit to renew the token trough an HTTP request.

In you Front, I would make a service that store the last transition date, let say lastTransitionDate = new DateTime(). It will also store, the token, the refreshToken and the expiration date of the token.

Now When you have a transition,

  1. You check if the token is still valid,
  2. If the token is no more valid and if the lastTransitionDate is more than X minutes ago, you force the logout.
  3. If the token is no more valid but the lastTransitionDate is less than X minutes, then you ask for a new token thanks to your refreshToken.
  4. After all checks you reset lastTransitionDate.

The only things you need to be sure of is that, X is enough to make sure that a user won't be disconnected if he just passed some time reading some stuff on a page without triggering a transition.

Answers 2

Well, you cannot simply refresh the expiry of the token without changing it. This is because the expiry is coded in the token itself. So, when you want to change the expiry of the token, you need to change the token itself.

Being specific to your case, if you want to refresh user's timeout threshold, the server will have to create a new token for each request and send it back in response (using headers, maybe). The UI will have to store this token in the storage after the request completes.

This way, the UI will always have a latest JWT available with it. And, you don't have to make a call such as authService.refreshToken() as server automatically takes care of it, which is kind of an inefficient approach.

Also, if user is inactive for sometime (say 10 minutes), and then makes a request to the server, the JWT sent from the UI is already expired, and the server can signal the UI to expire the session.

If You Enjoyed This, Take 5 Seconds To Share It

0 comments:

Post a Comment