Using Refresh Token inside of Access Token without HTTPS

I previously read that Access Token must be sent with every request to the API but Refresh Token must be sent ONLY when the Access Token expires.

I’m trying to use a similar model to the conventional model, where the Access Token is JWT, but the Refresh Token is just a random unique string (stored on server)

so the Access Token JWT claims looks like this:

{    "user_id": "user123456789",    "refresh_token": "A9t2G8eH8j2QW2j9U",    "exp": 154922000 } 

when a client sends a request to my API, the Access Token (JWT) will be sent to the server, if it’s expired, then a new Access Token will be sent to them with a newly-generated refresh_token alongside with the HTTP Response of the requested resource (after doing some validation).

This way:

  1. Client Only needs to securely-save and send one JWT Token instead of two, with their request.

  2. Client doesn’t have to make a second request just to re-fresh their Access Token in case it’s expired. (No 401 HTTP Response).

-Request with valid AccessToken => (Response with the requested resource)

-Request with expired AccessToken => (Response with the requested resource+NewAccessToken)

The problem here is that the Refresh Token (random unique string) is being sent with every request over the wire in plain text, and I can’t want to force my clients to use HTTPS only.

but then again, even in the “conventional model” the Refresh Token will be sent every X period of time, and a packet sniffer will be able to steal it easily if the connection wasn’t over HTTPS

Am I missing something here? Is my model flawed? Or is the conventional OAuth model must be strictly used over HTTPS? Is forcing HTTPS is my last resort?

When should refresh tokens be stored in a database?

I have a native Windows application programmed in .NET Core that needs to call a Web API. I intend to have the user enter credentials periodically, receiving a refresh token from my auth server for convenience. Encrypting the refresh token and saving it to my application’s database is looking like the strongest candidate for storing the refresh token securely, and allowing the finest user control (users can potentially access the application from different machines, making the Windows Vault seem less useful).

Are there established “best practices” when storing refresh tokens, or more directly, are there any contraindications raised by my use case? If so, are there other ways besides saving a cookie, which would couple the application not only to individual logins and machines, but also to browser-based infrastructure?

Is this jwt access and refresh tokens logic/structure secure?

  1. User logs in
    1. User gets a refresh_token assigned and stored in the database (long lived 7d)
    2. Client receives an accestoken (Short lived, 2h), and stores it as a cookie. Client also receives the userId AES encrypted, and stores it as a cookie.
    3. As far as the access token is not expired, the user keeps using the token to navigate the website
    4. The token expires
    5. The expired access token gets send to a refresh endpoint, so is the userID (Aes encrypted) both currently stored in out cookies.
    6. The server decrypts the userId and retrieves the refreshtoken that corresponds to the user by selecting the refresh token from the database using out userId.
    7. Now we have in the server our refreshtoken and accestoken, so we refresh the token, and send back the new accesstoken. We also generate a new refreshtoken and overwrite our old refreshtoken in the database with the new one. (I guess I need to somehow blacklist my old refreshtoken at this point)

Is this security scheme using passwords, short-lived access JWTs, and long-lived refresh tokens a good way to secure a REST API?

I’m trying to secure a REST API that I’m using as a backend for a single-page application. The API provides access to read/create/modify/delete protected resources, based on a set of permissions managed by an administrator. What I’m thinking is the following:

  • All connections must be over HTTPS; plain HTTP requests will be redirected to HTTPS.
  • Users have a username and password, which they create.
  • A client submits a username/password to a /login route; if it’s a valid password for that user, the server will return a short-lived access token and a long-lived refresh token.
    • The access token will be a signed JWT that identifies the user and has an expiration time.
    • The refresh token will be a GUID corresponding to a row in a database table; this row will store the user ID
  • When accessing protected routes (everything but /login), an access token will be required. The server will verify the signature, and if valid, will check the expiration time. If the token is not expired, the user ID will be made available to server-side code for authorization logic.
  • If the access token is expired, the client will automatically submit the refresh token to a /refresh endpoint for requesting a new access token. The server will check the database; if a corresponding row still exists, a new access token will be returned to the client.

Does this scheme sound secure?

Using OAuth2 with JWT, should a client pass along unused refresh tokens on a logout call?

I have a system with an OAuth2 authorization server. It hands out JWT access tokens and refresh tokens (the latter only to the mobile app client).

We don’t persist access tokens (as is normal with JWT) but we do persist the (hashed) refresh tokens together with some meta data to be able to revoke them so that users can log out other devices. We also only allow a single use for refresh tokens, the new request also gives back a new refresh token.

The OAuth2 login server itself uses regular basic auth with sessions. The user wants to be able to logout (single devices/clients) here. So of course I have to invalidate the session itself. But ideally I want to remove the refresh token that this client still has as well. The problem is that I don’t know that refresh token. A particular user could in theory have request multiple of them with their code request. The refresh token is also not normally passed in requests (only the access token)

Should I ask the clients (which are currently all under our own development) to send along their unused refresh tokens? Even if they ‘forget’ their refresh tokens locally, it still seems better if I also delete them on the server so they don’t linger around until their expiry time. Note I do know all the refresh tokens currently in use for a certain account but I don’t want to just delete them all because that would mean all devices are logged out. We also save some user agent-like info with the refresh tokens so users can use that to manually logout other devices, but it seems like a bad idea to try to perform string matching on those to automate that process.

Update / refresh mini cart, after custom AJAX add_to_cart event

I need help

In my custom single-product.php template, I added the button

public function AddToCartButton() {     global $  product;      if($  product->is_type('variable') || $  product->get_stock_status() !== 'instock') {         $  disabled_btn_class = 'btn-am--disabled';     } else {         $  disabled_btn_class = '';     }      $  echo = '<form class="cart single-product-cart" method="post" action="woocommerce_ajax_add_to_cart" enctype="multipart/form-data">';     $  echo .= '<button type="submit" class="single_add_to_cart_button button alt btn-am btn-am--red '. $  disabled_btn_class .'" data-url="'. admin_url("admin-ajax.php").'"> ' . esc_html( $  product->single_add_to_cart_text() ) .'</button>';     $  echo .= '<input type="hidden" name="add-to-cart" value="'. absint( $  product->get_id() ) .'" />';     $  echo .= '<input type="hidden" name="product_id" value="'. absint( $  product->get_id() ) .'" />';     $  echo .= '<input type="hidden" name="quantity" value="1" />';     $  echo .= '<input type="hidden" name="variation_id" class="variation_id" value="0" />';     $  echo .= '</form>';      return $  echo; } 

Custom AJAX call

public function __construct() {     add_action('wp_ajax_woocommerce_ajax_add_to_cart', [$  this, 'ajax_add_to_cart']);     add_action('wp_ajax_nopriv_woocommerce_ajax_add_to_cart', [$  this, 'ajax_add_to_cart']); }  function ajax_add_to_cart() {     $  product_id         = apply_filters('woocommerce_add_to_cart_product_id', absint($  _POST['product_id']));     $  quantity           = empty($  _POST['quantity']) ? 1 : wc_stock_amount($  _POST['quantity']);     $  variation_id       = absint($  _POST['variation_id']);     $  passed_validation  = apply_filters('woocommerce_add_to_cart_validation', true, $  product_id, $  quantity);     $  product_status     = get_post_status($  product_id);      if ($  passed_validation && WC()->cart->add_to_cart($  product_id, $  quantity, $  variation_id) && 'publish' === $  product_status) {          do_action('woocommerce_ajax_added_to_cart', $  product_id);          if ('yes' === get_option('woocommerce_cart_redirect_after_add')) {             wc_add_to_cart_message(array($  product_id => $  quantity), true);         }      } else {          $  data = array(             'error' => true,             'product_url' => apply_filters('woocommerce_cart_redirect_after_error', get_permalink($  product_id), $  product_id));          echo wp_send_json($  data);     }      wp_die(); } 

This code works, and if refresh page, item added to cart, but this not work with hook woocommerce_add_to_cart_fragments

And in my functions.php I have this code for refresh update cart

add_filter( 'woocommerce_add_to_cart_fragments', 'wc_mini_cart_ajax_refresh' ); function wc_mini_cart_ajax_refresh( $  fragments ) { $  fragments['#mcart-stotal'] = '<div id="mcart-stotal" class="mini-cart-footer__total">'.WC()->cart->get_cart_subtotal().'</div>'; ob_start(); echo '<div id="mcart-widget">'; woocommerce_mini_cart(); echo '</div>'; $  fragments['#mcart-widget'] = ob_get_clean();  return $  fragments; 


And this hook works fine, but not for my custom AJAX button, why this happen?

AMD Ryzen 5 3400G on Linux Ubuntu 18.04 (not work at 60 Hz refresh rate)

I just bought the new 3400G (AMD Ryzen 5 3400G with Radeon Vega Graphics) and I have problem with 60 Hz refresh configuration. With 30 Hz all works ok but when I put 60Hz on refresh rate at 3840×2160 the hdmi signal randomly dissapear and then reappear, or it show some ghost lines on the tv randomly…

My actual kernel and ubuntu version:

➜  default uname -a    Linux L-G580 5.0.0-31-generic #33~18.04.1-Ubuntu SMP Tue Oct 1 10:20:39 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux ➜  default lsb_release -a    No LSB modules are available.    Distributor ID:  Ubuntu    Description: Ubuntu 18.04.3 LTS    Release: 18.04    Codename: bionic   06:00.0 VGA compatible controller [0300]: Advanced Micro Devices, Inc. [AMD/ATI] Picasso [1002:15d8] (rev c8) (prog-if 00 [VGA controller])  glxinfo | grep OpenGL OpenGL vendor string: X.Org OpenGL renderer string: AMD RAVEN (DRM 3.27.0, 5.0.0-31-generic, LLVM 8.0.0) OpenGL core profile version string: 4.5 (Core Profile) Mesa 19.0.8 OpenGL core profile shading language version string: 4.50 OpenGL core profile context flags: (none) OpenGL core profile profile mask: core profile OpenGL core profile extensions: OpenGL version string: 4.5 (Compatibility Profile) Mesa 19.0.8 OpenGL shading language version string: 4.50 OpenGL context flags: (none) OpenGL profile mask: compatibility profile OpenGL extensions: OpenGL ES profile version string: OpenGL ES 3.2 Mesa 19.0.8 OpenGL ES profile shading language version string: OpenGL ES GLSL ES 3.20 OpenGL ES profile extensions: 

I appreciate any help…. Thank You.

[19.04]Can’t change the refresh rate, am I too dumb?

equipped and read-capable humans, (and I hope write-capable too)

When I want to run some demanding games on my laptop, I normally switch the refresh rate to 40Hz, so that with VSync on, I can run at lower framerate and with no tearing as well.

However, while it works pretty well on Windows, I’ve not been able to do the same on my Ubuntu 19.04. I’ve tried a few things already, with no success. Each time, it behaves like it worked (no error message and xrandr command saying the active mode is 40Hz), but I can tell nothing has changed, since the game still runs at 60fps VSynced and cursor movement is as smooth as before. To make things more simple, I disabled the Nvidia dGPU with the “prime-select intel” command, and test with the glxgears program, that runs vsynched and windowed.

What I tried :

1) Changing the refresh rate from the GNOME preferences

2) Changing the refresh rate with xrandr (xrandr --output eDP-1 --mode 1920x1080 --rate 40)

3) Creating a custom 40Hz mode, and switch to that mode with xrandr (I take the modeline from cvt)

4) Opening a Wayland session and changing the refresh rate from the GNOME preferences

5) adding video=1920×1080@40 to the kernel command line, and retrying 1, 2, 3 and 4 in that configuration

Hardware : CPU : i7-4710MQ (Intel HD Graphics 4600), dGPU : Nvidia GTX 880M, RAM : 16 GiB

xrandr output :

~$   xrandr Screen 0: minimum 320 x 200, current 1920 x 1080, maximum 8192 x 8192 eDP-1 connected primary 1920x1080+0+0 (normal left inverted right x axis y axis) 382mm x 215mm    1920x1080     60.01*+  60.01    59.97    59.96    59.93    40.01      1680x1050     59.95    59.88      1600x1024     60.17      1400x1050     59.98      1600x900      59.99    59.94    59.95    59.82      1280x1024     60.02      1440x900      59.89      1400x900      59.96    59.88      1280x960      60.00      1440x810      60.00    59.97      1368x768      59.88    59.85      1360x768      59.80    59.96      1280x800      59.99    59.97    59.81    59.91      1152x864      60.00      1280x720      60.00    59.99    59.86    59.74      1024x768      60.04    60.00      960x720       60.00      928x696       60.05      896x672       60.01      1024x576      59.95    59.96    59.90    59.82      960x600       59.93    60.00      960x540       59.96    59.99    59.63    59.82      800x600       60.00    60.32    56.25      840x525       60.01    59.88      864x486       59.92    59.57      800x512       60.17      700x525       59.98      800x450       59.95    59.82      640x512       60.02      720x450       59.89      700x450       59.96    59.88      640x480       60.00    59.94      720x405       59.51    58.99      684x384       59.88    59.85      680x384       59.80    59.96      640x400       59.88    59.98      576x432       60.06      640x360       59.86    59.83    59.84    59.32      512x384       60.00      512x288       60.00    59.92      480x270       59.63    59.82      400x300       60.32    56.34      432x243       59.92    59.57      320x240       60.05      360x202       59.51    59.13      320x180       59.84    59.32   DP-1 disconnected (normal left inverted right x axis y axis) HDMI-1 disconnected (normal left inverted right x axis y axis) HDMI-2 disconnected (normal left inverted right x axis y axis) DP-2 disconnected (normal left inverted right x axis y axis) HDMI-3 disconnected (normal left inverted right x axis y axis) 

Current Xorg log

Assistance in this matter is welcome, even if that means proving that I am, indeed, dumb.