We are incredibly excited to release cbSecurity version 2.13.0 today. This release packs a big punch in terms of features for our JWT support for RESTFul APIs. We are excited to announce full refresh token support and much more.
# Install install cbsecurity # Update update cbsecurity
ColdBox Security supports the concept of refresh tokens alongside the normal JWT access tokens.
A refresh token is a credential artifact that lets a client application get new access tokens without having to ask the user to log in again. Access tokens may be valid for a short amount of time. Once they expire, client applications can use a refresh token to "refresh" the access token.
The client application can get a new access token as long as the refresh token is valid and unexpired. Consequently, a refresh token that has a very long lifespan could theoretically give infinite power to the token bearer to get a new access token to access protected resources anytime. The bearer of the refresh token could be a legitimate user or a malicious user.
You can read all about how we implemented refresh tokens for ColdBox security here: https://coldbox-security.ortusbooks.com/jwt/refresh-tokens
- Adobe 2021 Support
- Migration to GitHub Actions from Travis CI
- Refresh tokens support
- Refresh token endpoint
/cbsecurity/refreshTokenfor secure refresh token generation
- Manual refresh token method on the JwtService :
refreshToken( token )
- Auto refresh token header interceptions for JWT validators
- Detect on
authenticate()if the payload is empty and throw the appropriate exceptions
- Added ability for the
authenticate( payload )to receive a payload to authenticate
- Added ability to recreate the token storage using a force argument
getTokenStorage( force = false )
- Ability for the
parseToken()to choose to store and authenticate or just parse
- Unique jti could have collisions if tokens created at the same time, add randomness to it
TokenExpirationExceptionnot relayed from the base jwt library
variables.settings.jwt.tokenStorage.enabledis disabled all invalidations failed, make sure if the storage is disabled to not throw storage exceptions.