This repository has been archived by the owner on Jul 13, 2023. It is now read-only.
Tokens in redirect URL need to be of short lifetime #4
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Currently all tokens generated have a single configuration option for Expiration. If this is set to a high interval, it is possible to re-use a URL based token redirect and re-initiate a logged-out session.
Instead, redirected tokens should have a short expiration time. Refreshed tokens usually live in a client session, header or cookie and can have a longer interval. Therefore consumers will need to refresh their token upon the first opportunity after redirect.
The following things need a bit of refactoring:
authReplymethod should accept atime.Timeinstead of looking to the server config.AuthenticatePwUserandRefreshJWTgRPC methods should accept a time stamp, so the consumer decides the requirements.The text was updated successfully, but these errors were encountered: