JWT Token expire & refresh
3,664 views
Skip to first unread message
Binu Raj
Mar 9, 2016, 9:45:25 AM3/9/16
to pac4j-users
Hi LELEU,
I have a task which is ticket expirration and token refresh. Please check my steps I am following and let me know the corrections,
1. casRestAuthenticator authenticate with cas server and produce CasProfile. And then JWTGenerator generate a token using CasProfile.
2. Users access the api with the jwt tokens. The api urls are protected with ParameterClient
3. Is there any default method for jwt token expire in pac4j?
4. If not I think we need to create a custom JWT authenticator to authenticate the tokens. The tokens have issued time. So we can calculate the token or valid or not. Is that right?
5. If the token is expired how can I send the message "token is expired" to users from JWT Authenticator?
6. If the token is expired how can I refresh a new token using old?
Jérôme LELEU
Mar 10, 2016, 4:47:58 AM3/10/16
to Binu Raj, pac4j-users
Hi,
I have the feeling we could automatically handle the expiration date in pac4j, though, I'm not sure you could implement what you want.
For your use case, you just need to define an "expiration date" attribute for the user profile and generate the JWT token for it. Then, you can create some custom JWT authenticator to handle expired tokens.
About the refresh token, you need to generate some random string (the refresh token) and attach it to the profile. Then, if the client sends you the expired JWT token and refresh token, you can get the user profile (from the JWT token) and check the refresh token and if ok, update the expiration date and regenerate a new JWT token for it.
Thanks.
Best regards,
Jérôme
--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Binu Raj
Mar 10, 2016, 5:23:23 AM3/10/16
to pac4j-users
Yes. That is understood. But My only doubt is how can I send a "token expired" response to client side from my custom authenticator?
Binu Raj
Mar 10, 2016, 6:14:18 AM3/10/16
to pac4j-users
Hi,
On Wednesday, 9 March 2016 20:15:25 UTC+5:30, Binu Raj wrote:
Jérôme LELEU
Mar 10, 2016, 9:10:17 AM3/10/16
to Binu Raj, pac4j-users
Hi,
I guess you need some custom logic from the wrapping client (CredentialsException are by default caught and considered as authentication failures).
Thanks.
Best regards,
Jérôme
--
Jérôme LELEU
Mar 10, 2016, 9:35:13 AM3/10/16
to Binu Raj, pac4j-users
Hi,
I'm not sure what you mean by "response to client", but pac4j client will catch CredentialsException from the authenticator and consider them as authentication failures. You may bypass that or customize the client to have a special behaviour.
Thanks.
Best regards,
Jérôme
--
Binu Raj
Mar 10, 2016, 11:18:03 AM3/10/16
to pac4j-users
Hi LELEU,
I can explain the "response to client". Here client means the end user.
1. I have an uri which is protected with parameter client
2. user access the controller uri with jwt token
3. My custom JWT authenticator will verify the token is expired or not?
4. If expired we need to send a response/messsage to user like "token is expired"
Below mentioned points are my confusion areas,
1. If the token is expired we can throw a exception from custom JWT authenticaor
2. But Where I can catch that error and how to write the message in response
3. If I generate a custom error code / custom exception for token expire can I configure an error page in web.xml?
please check the attached screen shot also?
On Wednesday, 9 March 2016 20:15:25 UTC+5:30, Binu Raj wrote:
Jérôme LELEU
Mar 10, 2016, 2:11:24 PM3/10/16
to Binu Raj, pac4j-users
Hi,
OK. So you use a JwtAuthenticator in a ParameterClient. In fact, you will need to customize both.
1) from your CustomJwtAuthenticator, throw a TokenExpiredException (inheriting from TechnicalException) when the token is expired
2) in the CustomParameterClient, copy/paste the getCredentials method (https://github.com/pac4j/pac4j/blob/1.8.x/pac4j-http/src/main/java/org/pac4j/http/client/direct/DirectHttpClient.java#L64) and add a catch for TokenExpiredException and then throw a RequiresHttpAction.forbidden("Token expired", context)
Note that in pac4j 1.9, you'll be able to throw the RequiresHttpAction directly from the CustomJwtAuthenticator.
Thanks.
Best regards,
Jérôme
--
Binu Raj
Mar 11, 2016, 2:23:05 AM3/11/16
to pac4j-users
Hi,
I ca use 1.9.0-SNAPSHOT. I changed the version of pac4j in my pom.xml. And then I create a customJWTAuthenticator. But I think I have missed some jars.
1. org.pac4j.core.profile.creator.AuthenticatorProfileCreator;
2. org.pac4j.core.credentials.TokenCredentials
3. org.pac4j.core.credentials.authenticator.TokenAuthenticator
These classes are missing in my jwt authentcator. But my pac4j version is 1.9.0-SNAPSHOT and also have the dependency of pac4j-core.
On Wednesday, 9 March 2016 20:15:25 UTC+5:30, Binu Raj wrote:
Jérôme LELEU
Mar 11, 2016, 2:24:42 AM3/11/16
to Binu Raj, pac4j-users
Hi,
You cannot use pac4j v1.9.0-SNAPSHOT until the implementation has upgraded to it (currently, no pac4j implementation uses it: J2E and Play will be upgraded next week as a starting point).
Stay on pac4j 1.8.7
Thanks.
Best regards,
Jérôme
--
Binu Raj
Mar 11, 2016, 6:22:17 AM3/11/16
to pac4j-users
Ok. Thanks fro the information. I tried to implement the way you preferred in last mail. I can explain the way,
1. Created custom Parameter client and coy the getCredentials method.
2. Create a JWT Authenticator and validate the token is expired or not
3. After throwing the TokenExpiredException from authenticator the Parameter client catches that exception. and execute RequiresHttpAction.forbidden method.
4. RequiresHttpAction.forbidden("token expired", context) this code is not working. Some errors occuring.
Please check these errors,
SPRING WEB PAC4J DEMO 15:01:42.041 [qtp1445222369-22] DEBUG o.p.s.w.RequiresAuthenticationInterceptor - credentials: null
SPRING WEB PAC4J DEMO 15:01:42.041 [qtp1445222369-22] DEBUG o.p.s.w.RequiresAuthenticationInterceptor - profile: null
SPRING WEB PAC4J DEMO 15:01:42.041 [qtp1445222369-22] DEBUG o.p.s.w.RequiresAuthenticationInterceptor - unauthorized
2016-03-11 15:01:42.041:WARN:oejs.Response:qtp1445222369-22: Committed before 401 null
2016-03-11 15:01:42.066:WARN:oejs.ServletHandler:qtp1445222369-22:
org.springframework.web.util.NestedServletException: Request processing failed; nested exception is java.lang.IllegalStateException: Committed
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:982)
On Wednesday, 9 March 2016 20:15:25 UTC+5:30, Binu Raj wrote:
Jérôme LELEU
Mar 11, 2016, 11:07:06 AM3/11/16
to Binu Raj, pac4j-users
Hi,
I'm a bit surprised by the error you get. Can we have the whole stack trace especially the part with the pac4j packages?
Re-rading the source code, what I proposed should have failed with a TechnicalException (500 error) as RequiresHttpAction are not supported for direct clients in the getCredentials method: https://github.com/pac4j/spring-webmvc-pac4j/blob/master/src/main/java/org/pac4j/springframework/web/RequiresAuthenticationInterceptor.java#L108
I'll certainly change that when ugrading to pac4j v1.9.
Thanks.
Best regards,
Jérôme
--
Jérôme LELEU
Mar 12, 2016, 4:52:41 AM3/12/16
to Binu Raj, pac4j-users
Hi,
Are you sure you throw a RequiresHttpAction from the new ParameterClient because it doesn't seem so as the "credentials: null" log is displayed (https://github.com/pac4j/spring-webmvc-pac4j/blob/master/src/main/java/org/pac4j/springframework/web/RequiresAuthenticationInterceptor.java#L110)?
Thanks.
Best regards,
Jérôme
--
Binu Raj
Mar 14, 2016, 12:30:07 AM3/14/16
to pac4j-users
Hi,
Here I am attaching the complete log file with required source files. Those are ParameterClient, JwtAuthenticator and TokenExpiredException.
Please make a quick review in these file and let me know the actual issue?
On Wednesday, 9 March 2016 20:15:25 UTC+5:30, Binu Raj wrote:
Jérôme LELEU
Mar 14, 2016, 6:52:45 AM3/14/16
to Binu Raj, pac4j-users
Hi,
In your ParameterClient, you have:
RequiresHttpAction.forbidden("token expired", context);
This should be:
throw RequiresHttpAction.forbidden("token expired", context);
Thanks.
Best regards,
Jérôme
--
Binu Raj
Mar 14, 2016, 7:07:06 AM3/14/16
to pac4j-users
Hi ,
I changed the line to throw RequiresHttpAction.forbidden("token expired", context); .But Unexpected HTTP action error is occurring. Please check my log and help me to resolve the issue.
On Wednesday, 9 March 2016 20:15:25 UTC+5:30, Binu Raj wrote:
Jérôme LELEU
Mar 14, 2016, 7:16:14 AM3/14/16
to Binu Raj, pac4j-users
Hi,
Yes, this is currently not supported, I'll change that when upgrading to pac4j v1.9.
The best you can do right now is to customize the authenticator and throw a TokenExpiredException inheriting from CredentialsException: this will generate a null credentials and trigger a generic 401 error page.
Thanks.
Best regards,
Jérôme
--
Binu Raj
Mar 14, 2016, 7:34:15 AM3/14/16
to pac4j-users
Hi,
Please check this link : http://www.mkyong.com/spring-mvc/spring-mvc-exception-handling-example/
Can I create a new error page for this type of expired error. Means I can create an exception class which have an error code 888. And it will be configured in web.xml like this,
<error-page>
<error-code>888</error-code>
<location>/WEB-INF/pages/888.jsp</location>
</error-page>Is the way right?
On Wednesday, 9 March 2016 20:15:25 UTC+5:30, Binu Raj wrote:
Jérôme LELEU
Mar 14, 2016, 10:50:29 AM3/14/16
to Binu Raj, pac4j-users
Hi,
Currently, the error will be handled internally in RequiresAuthenticationInterceptor and be a generic 401 error page so you won't be able to distinguish the expired token from another one.
The only option is to change the RequiresAuthenticationInterceptor: I opened: https://github.com/pac4j/spring-webmvc-pac4j/issues/1 and will fix it asap and let you know. Stay tuned.
Thanks.
Best regards,
Jérôme
--
Binu Raj
Mar 14, 2016, 11:52:36 AM3/14/16
to pac4j-users
Thanks LELEU. I am waiting for pac4j 1.9.0. I think that will fix my issues..Thanks
On Wednesday, 9 March 2016 20:15:25 UTC+5:30, Binu Raj wrote:
Jérôme LELEU
Mar 14, 2016, 3:06:38 PM3/14/16
to Binu Raj, pac4j-users
Hi,
Sorry if I was unclear. My plan was to update that behaviour when upgrading to pac4j v1.9.
But, this can be easily done in advance. I just updated spring-webmvc-pac4j v1.0.3-SNAPSHOT: https://github.com/pac4j/spring-webmvc-pac4j/commit/14639d742b8e2ee04376bde8c0e6dcfb668596b8
Can you re-test it?
Thanks.
Best regards,
Jérôme
--
Binu Raj
Mar 15, 2016, 12:55:47 AM3/15/16
to pac4j-users
Thanks for your update. I changed the version of spring. let me know one more thing. How can I show this "token expired" message in my 403.jsp. Now the page showing "unauthorized" message.
On Wednesday, 9 March 2016 20:15:25 UTC+5:30, Binu Raj wrote:
Jérôme LELEU
Mar 15, 2016, 3:41:36 AM3/15/16
to Binu Raj, pac4j-users
Hi,
I think you have several options: as you can "break" the flow, you could certainly cast the context to a J2E context, retrieve the request and response and forward to the appropriate error page. Or you can simply put some info in session you will use to display the appropriate error message.
Thanks.
Best regards,
Jérôme
--
Binu Raj
Mar 15, 2016, 3:45:58 AM3/15/16
to pac4j-users
Thaks LELEU. I did the job. Thanks a lot.
On Wednesday, 9 March 2016 20:15:25 UTC+5:30, Binu Raj wrote:
Reply all
Reply to author
Forward
0 new messages