Adding method to request a refresh token

[jbogard]

Closes #47. You still typically need to subclass and override GetInitialUrlAsync:

public override Task<Uri> GetInitialUrlAsync()
{
    string uriString = string.Format(
        "{0}?client_id={1}&redirect_uri={2}&response_type={3}&scope={4}&state={5}&access_type=offline&approval_prompt=force",
        this.AuthorizeUrl.AbsoluteUri,
        Uri.EscapeDataString(this.ClientId),
        Uri.EscapeDataString(this.RedirectUrl.AbsoluteUri),
        this.AccessTokenUrl == null ? "token" : "code",
        Uri.EscapeDataString(this.Scope),
        Uri.EscapeDataString(this.RequestState));
    var url = new Uri(uriString);

    return Task.FromResult(url);
}

But I found that method varied per OAuth provider a bit, and I still want other changes so I didn't bother messing with the URI.

[moljac]

Hi Jimmy

Do you have sample (minimal) sample for this pull request, please?

thanks

Mel

[jbogard]

Well, I did, but now it's broken because of #95. I'll see if I can't get a minimum example.

[moljac]

Hey Jimmy

Do not worry about iOS9. I have already changed info.plist for all samples. I just need to have sample for refresh token.

regards

Mel

[darrellbooker]

@jbogard any luck on getting a sample?

[deepinderCognitive]

@jbogard / @moljac - any update on this?

[moljac]

Jimmy's code was added while ago, but during the work on the Evolve16 labs it was decided to be extracted into separate nuget Xamarin.Auth.Extensions which will depend on Xamarin.Auth. This decision was made based on discussion that Refresh Token requesting is not part of the standard and for some users it may raise security issues.

The code is here:
https://github.com/xamarin/Xamarin.Auth/tree/portable-bait-and-switch/source/Extensions

Jimmy's method:
https://github.com/xamarin/Xamarin.Auth/blob/portable-bait-and-switch/source/Extensions/Xamarin.Auth.Extensions.LinkSource/OAuth2AuthenticatorExtensions.cs

Nuget nuspec:
https://github.com/xamarin/Xamarin.Auth/blob/portable-bait-and-switch/nuget/Xamarin.Auth.Extensions.nuspec

Missing:

• sample (minimal) for testing
• Windows platforms (IN PROGRESS)

[jbogard]

Anything I need to do on my side, or should I close this?

[moljac]

Don't close it yet please.

Do you have this old sample? I'd like to add it to the samples.

[modplug]

@jbogard: Do you have the sample laying around somewhere?

[jbogard]

Nah, this was from an internal app. Just trying to get some time to build a
sample :)

On Tue, Sep 6, 2016 at 2:08 AM, Erlend Angelsen notifications@github.com
wrote:

@jbogard https://github.com/jbogard: Do you have the sample laying
around somewhere?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#79 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAGYMkVbN0yPRCdUsMWeBAKi-OLvfzKuks5qnRFkgaJpZM4C5zds
.

[dazinator]

+1 for a sample that utilises refresh tokens please!

[ghost]

@moljac: Jimmy's code was added while ago, but during the work on the Evolve16 labs it was decided to be extracted into separate nuget Xamarin.Auth.Extensions which will depend on Xamarin.Auth. This decision was made based on discussion that Refresh Token requesting is not part of the standard and for some users it may raise security issues.

Sorry for the rather late response on this, but I don't believe refresh tokens should be outside of the scope of Xamarun.Auth.

First of all, refresh tokens are included in the main OAuth 2.0 specification / framework: https://tools.ietf.org/html/rfc6749#section-1.5

Refresh tokens are an integral part of the security that OAuth 2.0 offers. Without them you have to resort to access tokens with a long expiry and as access tokens cannot always be revoked, this potentially leaves a hole where an attacker could perform operations against a user's data without a way of resolving the issue.

To clarify on my statement that access tokens cannot always be revoked, if you look at the OAuth 2.0 token revocation document (https://tools.ietf.org/html/rfc7009#section-2) you'll see that while you must be able to revoke refresh tokens, you only should be able to revoke access tokens.

Google allow revocation of access tokens but they are a special case where the resource application is controlled by the identity provider. The OAuth 2.0 token revocation document goes into further details about the implementation of this (https://tools.ietf.org/html/rfc7009#section-3), but one of the key selling points of OAuth is that the access token can be self contained and therefore the resource server does not need to go back to the authorisation server in order to verify the token. This means that in a generic OAuth 2.0 implementation, the only point at which we can guarantee that the identity provider will be able to revoke a token is during a refresh.

For this reason and because this library is a generic implementation and not Google / Facebook specific, there are a couple of things that I believe Xamarin.Auth should do in order to help users of this library ensure the security of their applications:

1. Ensure that refresh token support is a first class citizen of the library - This means not putting it in a separate extension method / namespace.
2. Do not support persistence of access tokens and never demonstrate this in the samples - As a best practice, access tokens should be requested with a short lifetime (8 hours maximum ?) and held in memory only for the duration of the process. In order to prevent the user from having to log in every time they start the application, refresh tokens should be persisted (Securely, in an encrypted form) and exchanged for an access token on startup if available. Encrypting an access token and storing it in a device key-store or similar is, in my opinion, always an "OAuth anti-pattern".
3. Provide example usage which includes refresh token handling in the main getting started samples.

If implemented correctly, refresh tokens increase security rather than decreasing it.

-Andrew.

[candidodmv]

Hi @jbogard @moljac ! How have going this implementation? Could please give a usage sample?
Thanks!

[jbogard]

I finally have some time this week for a usage sample, hooray!

…

On Mon, Dec 19, 2016 at 5:01 AM, Vinicius Cândido ***@***.***> wrote: Hi @jbogard <https://github.com/jbogard> @moljac <https://github.com/moljac> ! How have going this implementation? Could please give a usage sample? Thanks! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#79 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAGYMomU9x1ZqEp4tHZydx7b9hAvbhwZks5rJmP2gaJpZM4C5zds> .

[candidodmv]

I'm excited to see this publishing. Thanks @jbogard

[johnshardman]

Is there a sample available showing how to refresh a token using Xamarin.Auth ?

[ghost]

Any update on this?

[candidodmv]

@jbogard is the only one that has the answer to us. And so, @jbogard do you have done the sample usage?

Thank you.

[theVietCoder]

@jbogard I installed Xamarin.Auth.Extension on NuGet to use your method but ended up having these errors:
The type 'Resource' exists in both 'Xamarin.Auth.Extensions, Version=1.3.0.14858, Culture=neutral, PublicKeyToken=null' and 'Xamarin.Auth, Version=1.3.0.0, Culture=neutral, PublicKeyToken=null' ShowCalendar.Android Android\Resources\Resource.Designer.cs
these are the resources:
global::Xamarin.Auth.Resource.Id.webview
global::Xamarin.Auth.Resource.Layout.activity_webview
global::Xamarin.Auth.Resource.String.library_name
global::Xamarin.Auth.Resource.String.title_activity_webview

[riyadparvez]

What's the status of this PR?

[theVietCoder]

any update on this issue?

[lewixlabs]

I wrote a sample on my gist
It's an inherated class from OAuth2Authenticator and it works with my custom identity provider (refresh_token is correctly returned in properties account object.

Hi,
Lewix

[praveenkrjha]

Xamarin.Auth.Extensions has a method "RequestRefreshTokenAsync" to refresh the token. However, it returns an integer value (expires_in). Shouldn't it also return the new access_token?

[praveenkrjha]

Xamarin.Auth.Extensions has a method "RequestRefreshTokenAsync" to refresh the token. However, it returns an integer value (expires_in). Shouldn't it also return the new access_token?