[
https://issues.apache.org/jira/browse/OFBIZ-13212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17934536#comment-17934536
]
Jacques Le Roux commented on OFBIZ-13212:
-----------------------------------------
Hi Arashpreet,
Here are some points to discuss about security. I have not yet pushed [your
plugins PR|https://github.com/apache/ofbiz-plugins/pull/135/files] because I
want to clarify these points. For now here, if needed in dev or even in
security ML.
* [As you
explained|https://github.com/apache/ofbiz-framework/pull/881#issuecomment-2705962672]
you decided to set the refresh token validity to 86,400 seconds (24 hours).
That sound too much to me. I believe 8 hours, or even less, would be enough.
People are rarely working more on a Single-Page Applications (SPAs) or a mobile
application which are mostly what the consumers of ID tokens do as explained by
the [auth0.com
link|https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/]
I posted in my 1st comment.
* Anyway, IMO that would be insufficient. For instance auth0 is using [a
rotation
mechanism|https://auth0.com/docs/secure/tokens/refresh-tokens/refresh-token-rotation]
that sounds a wise solution to me. The idea is to have short term refresh
tokens replaced each time a refresh token is called (see Auth0 article excerpt
quoted below). [The complete process is explained simply but well
here|https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/#Refresh-Token-Automatic-Reuse-Detection].
I guess this would be while calling
{color:#1daf3e}AuthenticationResource::refreshToken{color}, right? BTW this
allows [to store refresh tokens in local
storage|https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/#You-Can-Store-Refresh-Token-In-Local-Storage].
* Also something must be said about the secure solution we choose in
[sy-password-and-JWT.adoc|https://github.com/apache/ofbiz-framework/blob/19c32a51946d89b1da60d204b7845983c820772f/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc]
that can also be used as a start to reflection.
This said {color:#1daf3e}AuthenticationResource::refreshToken{color} is not
used OOTB. So we could still commit the plugins PR since there would be no
possible vulnerabilty. Of course I'd prefer to have something safe for our
users. Else at least we need to document it in sy-password-and-JWT.adoc
h5. Auth0 article excerpt
bq. With refresh token rotation enabled in the Auth0 Dashboard, every time an
application exchanges a refresh token to get a new access token, a new refresh
token is also returned. Therefore, you no longer have a long-lived refresh
token that, if compromised, could provide illegitimate access to resources. As
refresh tokens are continually exchanged and invalidated, the threat is reduced.
> Authentication refresh token mechanism feature
> ----------------------------------------------
>
> Key: OFBIZ-13212
> URL: https://issues.apache.org/jira/browse/OFBIZ-13212
> Project: OFBiz
> Issue Type: Improvement
> Components: framework/webapp, rest-api
> Reporter: Arashpreet Singh
> Priority: Major
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
