How to refresh tokens in NbPasswordAuthStrategy

[cloakedch]

I would like to know how refreshing tokens with the NbPasswordAuthStrategy is supposed to be implemented on the server side. As there is no refresh-/access-token concept like in the NbOAuth2AuthStrategy, I have the impression that it is only possible to refresh a token using an already expired token. Is that correct? I read that refreshing an expired token has security implications.

[uracs]

Hi!

I also want to implement a refreshing token concept with NbPasswordAuthStrategy but I can't find how I can store and reach refresh token using NbAuthService.
If you find the solution could you help me?

Thanks advanced,
l.

[sasikumardr]

below snippets should do the trick.

NbAuthModule.forRoot({
    strategies: [
      NbPasswordAuthStrategy.setup({
        name: 'email',
        ...
        token: {
          class: NbAuthOAuth2JWTToken,
          key: 'token'
        }
      })
    ]
   ...
   {
    provide: HTTP_INTERCEPTORS,
    useClass: NbAuthJWTInterceptor,
    multi: true
  }
  ...

in server

function login(req, res) {
  //login logic to be added
  const dbUser =loggedInuser
  res.json({
    token: {
      access_token: 'jwt access token here',
      refresh_token: 'refreshtoken here'
  });
}

function refreshToken(req, res) {
  const reqAccessToken = req.body.token.access_token;
  const reqRefreshToken = req.body.token.refresh_token;

  const jwtPayload = undefined; // add logic for decode access token
  const dbUser = undefined; // add logic for db user lookup using jwtPayload.user_id
  // generate new access token
  res.json({
    token: {
      access_token: 'jwt access token here',
      refresh_token: 'same refreshtoken here'
  });
}

[kgrigorian]

this would be very helpful functionality

[dpcamp]

@sasikumardr I know this is an old post but I'm curious if this actually works for you? I tried this, but I don't believe the refreshToken strategy is being called from this.authService.isAuthenticatedOrRefresh() in the NbAuthJWTInterceptor interceptor.

I can successfully log in, but when it comes time to refresh my token it seems to loop at the interceptor, and I don't ever see my backend endpoint being hit.

[dpcamp]

@sasikumardr I know this is an old post but I'm curious if this actually works for you? I tried this, but I don't believe the refreshToken strategy is being called from this.authService.isAuthenticatedOrRefresh() in the NbAuthJWTInterceptor interceptor.

I can successfully log in, but when it comes time to refresh my token it seems to loop at the interceptor, and I don't ever see my backend endpoint being hit.

Just in case anyone else runs into this issue, I needed to have the endpoint for my refresh-token added to the NB_AUTH_TOKEN_INTERCEPTOR_FILTER provider

I had one for my login endpoint, but realized I needed a second one for my refresh endpoint as well

      provide: NB_AUTH_TOKEN_INTERCEPTOR_FILTER,
      useValue: function (req: HttpRequest<any>) {
         if (req.url === `${environment.apiUrl}/login`)
         {
         return true
         } 
         if (req.url === `${environment.apiUrl}/refresh-token`)
        {
           return true
         }
         else {
          return false
         }
      },

found this over at
akveo/ngx-admin#1375

[AllTerrainDeveloper]

I still have the same problem.

I tried to implemente refresh-token as @sasikumardr said, but still doesn't work.

If I use the NbAuthJWTToken the app just work fine, but when the token expires, the token-refresh endpoint, is called, issued a new one but it seems it is not stored anywhere.

If I try the NbAuthOAuth2JWTToken implementation, then I cannot even login. even with the code proposed by @dpcamp

EDIT:
Debugging I see that AuthGuard has the authenticated parameter set to undefined. So login is working but somehow authguard, is not.

isAuthenticatedOrRefresh() { ... ... return of(token.isValid()); <---------------- token.token == token.payload

EDIT2:
For the next one, just keep in mind that you have to return in your server a token object, i've just realised that was returning different thing and not exactly:

{
    token: {
      access_token: 'jwt access token here',
      refresh_token: 'same refreshtoken here'
    }
}

EDIT3:
Still not working... I am in the same situation as with NbAuthJWTToken. The new token is not stored or used

EDIT4:
Too many hours working on a row :) I can say that everything works perfectly

[fbarajas-fmg]

@AllTerrainDeveloper what was your final solution?

[AllTerrainDeveloper]

Sorry, I can't remember, but it was my fault.

My initial problem was that client was not storing the new token after refresh the token. I changed the NbAuthJWTToken with the OAuth2 one, it now made the client to look into an object called token, with the fields access_token and refresh_token. I was sending from my server side, two token objects, instead of on token object, with the two tokens inside.

But I barely remember, that I had changed the token key to token_access, instead of just token.

Loving so far this nebular framework