[ https://issues.apache.org/jira/browse/OFBIZ-13212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17934536#comment-17934536 ]
Jacques Le Roux commented on OFBIZ-13212: ----------------------------------------- Hi Arashpreet, Here are some points to discuss about security. I have not yet pushed [your plugins PR|https://github.com/apache/ofbiz-plugins/pull/135/files] because I want to clarify these points. For now here, if needed in dev or even in security ML. * [As you explained|https://github.com/apache/ofbiz-framework/pull/881#issuecomment-2705962672] you decided to set the refresh token validity to 86,400 seconds (24 hours). That sound too much to me. I believe 8 hours, or even less, would be enough. People are rarely working more on a Single-Page Applications (SPAs) or a mobile application which are mostly what the consumers of ID tokens do as explained by the [auth0.com link|https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/] I posted in my 1st comment. * Anyway, IMO that would be insufficient. For instance auth0 is using [a rotation mechanism|https://auth0.com/docs/secure/tokens/refresh-tokens/refresh-token-rotation] that sounds a wise solution to me. The idea is to have short term refresh tokens replaced each time a refresh token is called (see Auth0 article excerpt quoted below). [The complete process is explained simply but well here|https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/#Refresh-Token-Automatic-Reuse-Detection]. I guess this would be while calling {color:#1daf3e}AuthenticationResource::refreshToken{color}, right? BTW this allows [to store refresh tokens in local storage|https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/#You-Can-Store-Refresh-Token-In-Local-Storage]. * Also something must be said about the secure solution we choose in [sy-password-and-JWT.adoc|https://github.com/apache/ofbiz-framework/blob/19c32a51946d89b1da60d204b7845983c820772f/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc] that can also be used as a start to reflection. This said {color:#1daf3e}AuthenticationResource::refreshToken{color} is not used OOTB. So we could still commit the plugins PR since there would be no possible vulnerabilty. Of course I'd prefer to have something safe for our users. Else at least we need to document it in sy-password-and-JWT.adoc h5. Auth0 article excerpt bq. With refresh token rotation enabled in the Auth0 Dashboard, every time an application exchanges a refresh token to get a new access token, a new refresh token is also returned. Therefore, you no longer have a long-lived refresh token that, if compromised, could provide illegitimate access to resources. As refresh tokens are continually exchanged and invalidated, the threat is reduced. > Authentication refresh token mechanism feature > ---------------------------------------------- > > Key: OFBIZ-13212 > URL: https://issues.apache.org/jira/browse/OFBIZ-13212 > Project: OFBiz > Issue Type: Improvement > Components: framework/webapp, rest-api > Reporter: Arashpreet Singh > Priority: Major > -- This message was sent by Atlassian Jira (v8.20.10#820010)