17

I am using passport-openidconnect strategy which works well but the expiration of the session is short 3600 seconds and I don't think its changeable.

Would I use the refresh token to get another token id?

If I do where would I add that logic in something like this? https://github.com/passport/express-4.x-openidconnect-example/blob/master/server.js

Mike
  • 189
  • 1
  • 2
  • 18

1 Answers1

12

The expiration of the session is configurable from the auth provider side. For e.g. let's say you are using auth0 as your authentication provider, then you can configure the token timeout at app setting (https://auth0.com/docs/tokens/guides/access-token/set-access-token-lifetime)

enter image description here

As per as refresh token is concerned, passport itself doesn't support it and it's up-to us to implement it. For auth0, you can renew the token by following the flow at https://auth0.com/docs/tokens/refresh-token/current. I pasted the code from that link:

var request = require("request");

var options = { method: 'POST',
  url: 'https://YOUR_DOMAIN/oauth/token',
  headers: { 'content-type': 'application/x-www-form-urlencoded' },
  form: 
   { grant_type: 'refresh_token',
     client_id: 'YOUR_CLIENT_ID',
     client_secret: 'YOUR_CLIENT_SECRET',
     refresh_token: 'YOUR_REFRESH_TOKEN' } };

request(options, function (error, response, body) {
  if (error) throw new Error(error);

  console.log(body);
});

OR you can use an add-on to passport https://github.com/fiznool/passport-oauth2-refresh

var passport = require('passport'),
  , refresh = require('passport-oauth2-refresh')
  , FacebookStrategy = require('passport-facebook').Strategy;

var strategy = new FacebookStrategy({
  clientID: FACEBOOK_APP_ID,
  clientSecret: FACEBOOK_APP_SECRET,
  callbackURL: "http://www.example.com/auth/facebook/callback"
},
function(accessToken, refreshToken, profile, done) {
  // Make sure you store the refreshToken somewhere!
  User.findOrCreate(..., function(err, user) {
    if (err) { return done(err); }
    done(null, user);
  });
});

passport.use(strategy);
refresh.use(strategy);

var refresh = require('passport-oauth2-refresh');
refresh.requestNewAccessToken('facebook', 'some_refresh_token', function(err, accessToken, refreshToken) {
  // You have a new access token, store it in the user object,
  // or use it to make a new request.
  // `refreshToken` may or may not exist, depending on the strategy you are using.
  // You probably don't need it anyway, as according to the OAuth 2.0 spec,
  // it should be the same as the initial refresh token.

});
manishg
  • 9,520
  • 1
  • 16
  • 19