Blog

Luis Majano

September 02, 2021

Spread the word


Share your thoughts

We are incredibly excited to release cbSecurity version 2.13.0 today. This release packs a big punch in terms of features for our JWT support for RESTFul APIs. We are excited to announce full refresh token support and much more.


# Install
install cbsecurity

# Update
update cbsecurity

Refresh Tokens

ColdBox Security supports the concept of refresh tokens alongside the normal JWT access tokens.

What Is a Refresh Token?

A refresh token is a credential artifact that lets a client application get new access tokens without having to ask the user to log in again. Access tokens may be valid for a short amount of time. Once they expire, client applications can use a refresh token to "refresh" the access token.

The client application can get a new access token as long as the refresh token is valid and unexpired. Consequently, a refresh token that has a very long lifespan could theoretically give infinite power to the token bearer to get a new access token to access protected resources anytime. The bearer of the refresh token could be a legitimate user or a malicious user.

You can read all about how we implemented refresh tokens for ColdBox security here: https://coldbox-security.ortusbooks.com/jwt/refresh-tokens

What's New With 2.13.0

Added

  • Adobe 2021 Support
  • Migration to GitHub Actions from Travis CI
  • Refresh tokens support
  • Refresh token endpoint /cbsecurity/refreshToken for secure refresh token generation
  • Manual refresh token method on the JwtService : refreshToken( token )
  • Auto refresh token header interceptions for JWT validators
  • Detect on authenticate() if the payload is empty and throw the appropriate exceptions
  • Added ability for the authenticate( payload ) to receive a payload to authenticate
  • Added ability to recreate the token storage using a force argument getTokenStorage( force = false )
  • Ability for the parseToken() to choose to store and authenticate or just parse

Fixed

  • Unique jti could have collisions if tokens created at the same time, add randomness to it
  • TokenExpirationException not relayed from the base jwt library
  • If variables.settings.jwt.tokenStorage.enabled is disabled all invalidations failed, make sure if the storage is disabled to not throw storage exceptions.

Add Your Comment

Recent Entries

Building Native CLI Apps with MatchBox & Native Fusion

Building Native CLI Apps with MatchBox & Native Fusion

MatchBox makes BoxLang practical for a classic deployment target: the single-file command-line application.

The MatchBox open beta is available at https://github.com/ortus-boxlang/matchbox.

With the MatchBox native target, you can compile a .bxs script into a standalone executable for macOS, Linux, or Windows. The generated binary includes the MatchBox VM core and your compiled BoxLang bytecode. It does not require a JVM, a separate MatchBox install, or any runtime on the target machine.

Jacob Beers
Jacob Beers
July 14, 2026