I want to use API in my .net WinForms application which are closed by JWT token. Such tokens can be received from the Identity Provider using Authorization Code Flow + PKCE. I worked with such flow before in Web Application and I know how to request code, exchange it on the access token and I used silent refresh approach to refresh the access tokens. For my clientId I'm not able to use refresh tokens. So, I'm slightly confused how to implement to refresh tokens in the Winforms application. It's definitely I need to open Login page to allow the customer enter credentials. Then I guess I need to catch code from the Redirect URL. It seems I need to use loopback IP address as a redirect URL and catch request in the application. But how to set up refreshing process I have no idea. Please help with advice or add links to examples.
Refresh token in Desktop App for OAuth2 Authorization Code Flow
329 Views Asked by SlavaHq At
1
There are 1 best solutions below
Related Questions in WINFORMS
- What is this namespace ITypeOfObjectsBoundToListBox ? Couldn't find it
- How to Require Confirmation on Form Close When there is Changed Data in a DataGridView
- self updating drawings C#
- Missingmanifestresourseexeption in auto genereted code of ImageList
- Child form implement in C# Winform
- Cannot find InvalidCastException in C# Application
- some labels appear gray in Visual Studio 2010
- c# richtextbox search with 2 forms
- Menu out of place when application is in full screen by Windows API
- How to access the Index of a changed Selection in a Datagridview
- showing a black transparent box over picturebox with an Image
- how to deselect all in RichTextBox before selecting newly found text?
- How to remove white space between border and BackColor?
- Validation DataGridView Windows Forms
- Invoke of a UserControl doesn't work
Related Questions in OAUTH-2.0
- Not getting refresh token with google oauth2
- SoundCloud Authentication Consistently Returns 401 invalid_grant For Some Users
- How can I share Azure Active Directory authentication between server side and client script?
- OAuth2 and API Json request not working with jQuery Call
- Flask-Restful, oauth, and Salesforce
- Bearer token in MVC controller to access Web API
- Revoking OAuth tokens in Mule
- how to signup user using google-plus integradation in web?
- Need to run getAuthToken twice before receiving access token, why?
- chrome.identity.getAuthToken and refresh token?
- dropbox api authentication (Error: [400] 'invalid_client')
- Retrieve Google Sites's Domain Index feed using OAuth 2.0 with Service Account
- hello.js: Is it possible to set the provider's settings dynamically?
- How to share developer account at LinkedIn
- Linkedin Unsupported POST target
Related Questions in JWT
- Is my JWT refresh plan secure?
- Basic Auth to Receive Token in Spring Security
- JWT Auth custom user token
- Can JWT be a replacement for session based authentication for web application?
- Batching tokens with Laravel, JWT and Angularjs
- Google OAuth2 JWT token verification exception
- Why do I get SecurityTokenSignatureKeyNotFoundException?
- How does refreshing of jwt token work in django REST angular
- Protractor testing, access and modify Window object properties
- How can i expire my JWT token, when user is idle for sometime(Token based authorization) in nodeJS/Express and Angular
- Why is the Spring Security REST Plugin not compatible with JDK 1.6?
- Would I need CSRF if using JWT?
- Parser exception in JWT when encryption and signing is enabled
- JSON Web Token (JWT) with Spring based SockJS / STOMP Web Socket
- JWT (JSON Web Token) in C++ using boost and openssl bug
Related Questions in OAUTH-REFRESH-TOKEN
- AADSTS9002327 error in Refresh Token Flow in Azure AD
- Understanding JWT Token Workflow with Short-lived Tokens and Refresh Tokens
- MS Graph Access Token Refresh with GuzzleHttp
- What is the security risk of having longer Refresh token in Authorization server?
- Better approach to use refresh token rotation and reuse detection with Amazon Cognito
- Refresh token in Desktop App for OAuth2 Authorization Code Flow
- Linkedin API : No refresh token with accessToken
- How do I invalidate a refresh jwt on logout? - Nodejs and Reactjs
- Spotify api returning invalid refresh token even though the refresh token is new
- OAuth2 Via GitHub Api - Refresh Token missing
- Refresh TOKEN and PKCE extension
- How to implement refresh token in django-oauth-toolkit? I'm able to get access_token but the refresh token isn't coming with it
- Unable to retrieve refresh_token via hybrid oauth2 flow
- Difficulty Generating Refresh Token in Akeneo OAuth2 Integration
- Why do Refresh Token expires after every 7 days ? Does it affects the file upload on production
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
For a desktop app you should follow the recommendations from RFC8252. Without a token refresh you will get usability problems. Eg access token expires after 15 or 30 minutes, then user experiences a re-opening of the system browser.
This might be fine for a high security app, such as for banking, but for most apps it is not what you want. Alternatives such as long lived access tokens are bad from a security viewpoint, since the long lived value is then exposed on every API request.
You won't be able to use silent renew via hidden iframes either, since you don't have that much control over the system browser. You can only open it by executing a URL.
So you have these main choices, and maybe you can explain trade offs to stakeholders. You won't be able to implement a workaround in code:
Locking down what can be done with an access token issued to the desktop app - using scopes and claims - is usually the main mitigation of this type of security concern.