We are incredibly excited to release cbSecurity version 2.13.0 today. This release packs a big punch in terms of features for our JWT support for RESTFul APIs. We are excited to announce full refresh token support and much more.

# Install
install cbsecurity

# Update
update cbsecurity

Refresh Tokens

ColdBox Security supports the concept of refresh tokens alongside the normal JWT access tokens.

What Is a Refresh Token?

A refresh token is a credential artifact that lets a client application get new access tokens without having to ask the user to log in again. Access tokens may be valid for a short amount of time. Once they expire, client applications can use a refresh token to "refresh" the access token.

The client application can get a new access token as long as the refresh token is valid and unexpired. Consequently, a refresh token that has a very long lifespan could theoretically give infinite power to the token bearer to get a new access token to access protected resources anytime. The bearer of the refresh token could be a legitimate user or a malicious user.

You can read all about how we implemented refresh tokens for ColdBox security here: https://coldbox-security.ortusbooks.com/jwt/refresh-tokens

What's New With 2.13.0

Added

• Adobe 2021 Support
• Migration to GitHub Actions from Travis CI
• Refresh tokens support
• Refresh token endpoint /cbsecurity/refreshToken for secure refresh token generation
• Manual refresh token method on the JwtService : refreshToken( token )
• Auto refresh token header interceptions for JWT validators
• Detect on authenticate() if the payload is empty and throw the appropriate exceptions
• Added ability for the authenticate( payload ) to receive a payload to authenticate
• Added ability to recreate the token storage using a force argument getTokenStorage( force = false )
• Ability for the parseToken() to choose to store and authenticate or just parse

Fixed

• Unique jti could have collisions if tokens created at the same time, add randomness to it
• TokenExpirationException not relayed from the base jwt library
• If variables.settings.jwt.tokenStorage.enabled is disabled all invalidations failed, make sure if the storage is disabled to not throw storage exceptions.