[ 
https://issues.apache.org/jira/browse/OFBIZ-13212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17934536#comment-17934536
 ] 

Jacques Le Roux commented on OFBIZ-13212:
-----------------------------------------

Hi Arashpreet,

Here are some points to discuss about security. I have not yet pushed [your 
plugins PR|https://github.com/apache/ofbiz-plugins/pull/135/files] because I 
want to clarify these points. For now here, if needed in dev or even in 
security ML.
 * [As you 
explained|https://github.com/apache/ofbiz-framework/pull/881#issuecomment-2705962672]
 you decided to set the refresh token validity to 86,400 seconds (24 hours). 
That sound too much to me. I believe 8 hours, or even less, would be enough. 
People are rarely working more on a Single-Page Applications (SPAs) or a mobile 
application which are mostly what the consumers of ID tokens do as explained by 
the [auth0.com 
link|https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/] 
I posted in my 1st comment.
 * Anyway, IMO that would be insufficient. For instance auth0 is using [a 
rotation 
mechanism|https://auth0.com/docs/secure/tokens/refresh-tokens/refresh-token-rotation]
 that sounds a wise solution to me. The idea is to have short term refresh 
tokens replaced each time a refresh token is called (see Auth0 article excerpt 
quoted below). [The complete process is explained simply but well 
here|https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/#Refresh-Token-Automatic-Reuse-Detection].
 I guess this would be while calling 
{color:#1daf3e}AuthenticationResource::refreshToken{color}, right? BTW this 
allows [to store refresh tokens in local 
storage|https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/#You-Can-Store-Refresh-Token-In-Local-Storage].
 * Also something must be said about the secure solution we choose in 
[sy-password-and-JWT.adoc|https://github.com/apache/ofbiz-framework/blob/19c32a51946d89b1da60d204b7845983c820772f/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc]
 that can also be used as a start to reflection.

This said {color:#1daf3e}AuthenticationResource::refreshToken{color} is not 
used OOTB. So we could still commit the plugins PR since there would be no 
possible vulnerabilty. Of course I'd prefer to have something safe for our 
users. Else at least we need to document it in sy-password-and-JWT.adoc

h5. Auth0 article excerpt
bq. With refresh token rotation enabled in the Auth0 Dashboard, every time an 
application exchanges a refresh token to get a new access token, a new refresh 
token is also returned. Therefore, you no longer have a long-lived refresh 
token that, if compromised, could provide illegitimate access to resources. As 
refresh tokens are continually exchanged and invalidated, the threat is reduced.


> Authentication refresh token mechanism feature
> ----------------------------------------------
>
>                 Key: OFBIZ-13212
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-13212
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: framework/webapp, rest-api
>            Reporter: Arashpreet Singh
>            Priority: Major
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to