8 Answer(s)
-
0
You have the source code.
You can also take a look at the PR: aspnetzero/aspnet-zero-core#2561
-
0
I can see that once the user is successfully authenticated, a refresh token is returned to angular client along with the access token. When an access token expires tokenAuth/RefreshToken is called and a new access token is issued if refresh token provided is valid. What I cannot find is when a refresh token expires how does it work ?
Thanks
-
0
Do you mean on the client side?
-
0
I am trying to understand the auth flow here with access token and refresh tkmw
-
0
On the client side, the auth flow is briefly described in PR aspnetzero/aspnet-zero-core#2777:
If the user selects "Remember me", refresh token will be stored. Then if any request gets 401 AbpHttpInterceptor :
- will block all request,
- store them in BehaviorSubject
- try to get access token
- if it success, rehandle all requests.
- otherwise go login
You can refer to the source code in src/abpHttpInterceptor.ts.
-
0
But this is not secure. If one can manage to steal refresh token can he be always authenticated.
-
0
Hi,
since cookie is stored in the browser/client side, if one can steal the cookie from the browser, doesn't it mean the client's machine has already been compromised?
in that case, it is commonly handled by revoking all the login sessions of the user and acess/refresh token will not be able to authenticated again.
-
0
This issue is closed because of no recent activity. Please open a new issue if you are still having this problem.
