I want to use API in my .net WinForms application which are closed by JWT token. Such tokens can be received from the Identity Provider using Authorization Code Flow + PKCE. I worked with such flow before in Web Application and I know how to request code, exchange it on the access token and I used silent refresh approach to refresh the access tokens. For my clientId I'm not able to use refresh tokens. So, I'm slightly confused how to implement to refresh tokens in the Winforms application. It's definitely I need to open Login page to allow the customer enter credentials. Then I guess I need to catch code from the Redirect URL. It seems I need to use loopback IP address as a redirect URL and catch request in the application. But how to set up refreshing process I have no idea. Please help with advice or add links to examples.
Refresh token in Desktop App for OAuth2 Authorization Code Flow
333 Views Asked by SlavaHq At
1
There are 1 best solutions below
Related Questions in WINFORMS
- Musical chairs: How can an asynchronous task cancel a synchronous one in c#?
- TCP Client Losing Connection When Writing Data
- how check if printing content on new page
- Find what is writing to the Output window
- WinForms, event unable to subscribe from a custom class
- A cleaner way to approach the given output
- Working with panel and moving from the second form to the the panel
- Accurately placing multiple controls in a row programmatically with dynamic table layout panel
- How to find winform application in visual studio 2022?
- How to stop comments being included in C# release build .exe
- Why is the Blazor value not immediately being rendered after changing it?
- .NET 6 Winforms separate forms control pop up freezing when unfocused and using native Windows file transfer pop up
- How to Fix C# WinForms Application Not Loading correctly on Windows 11?
- Visual Studio edit view corrupt for xaml and Winforms design views
- How to solve the problem that dragged column in datagridview too slow or miss when AllowUserToOrderColumns = true
Related Questions in OAUTH-2.0
- discord.py - Oauth2 - join user to guild
- Implementing Incremental consent when using both application and delegated permissions
- Verifying Google Identity OAuth2 token with Ruby
- spring security error Caused by: org.attoparser.ParseException: Exception evaluating SpringEL expression: s
- Encountering HttpError 403 and 500 When Using Google Sheets API with Service Account
- get refresh token in axios interceptor
- spring error exception with oauth2 and securityconfig
- What oauth 2.0 endpoint is used to validate a bearer token
- Not enough permissions to access API request https://api.linkedin.com/v2/me
- How to specify the client ID and redirect URI in Swagger OAuth2.0 configuration for Swagger UI?
- OAuth2 PHP change invalid_token response
- Call Databricks API from an ASP.NET Core web application
- Secure to share Access Token over public API using CORs?
- How to use Oauth in order to log‑in on .googleapis.com on almost any arbitrary endpoints domains from the web browser?
- OAuth access token attribute based reverse proxying of http ressources
Related Questions in JWT
- Generate Databricks personal access token using REST API
- How to share JWT through 2 React.js Frontend
- I'm trying to understand JWT-based authorization between applications
- Error: Cannot invoke "jakarta.servlet.http.HttpSession.getAttribute(String)" because "session" is null
- How to implement Access / Refresh Tokens
- RequestClientCredentialsTokenAsync and ClientAssertion Encoded
- How to prevent users from creating custom client apps?
- Minimizing IdentityServer4 Round Trips in Microservice Architecture with Ocelot
- How to Link JWT User ID with PayPal Custom ID After Payment in Node.js?
- How to verify JWS (x5c chain) is signed by apple using Jose
- getting React Hook "useSetupInterceptors" cannot be called at the top level when try to use useSignOut hook
- System.InvalidOperationException: The AuthorizationPolicy named: 'Admin' was not found
- Wondering if AWS Amplify sdk for SSR automatically verifies user identities or JWT?
- Implementing JWT Token Authorization in .NET 8 using AddJwtBearer() with a Custom Role Based Attributes
- Extracting and Storing Value of a Initial Header in NGINX
Related Questions in OAUTH-REFRESH-TOKEN
- Understanding JWT Token Workflow with Short-lived Tokens and Refresh Tokens
- AADSTS9002327 error in Refresh Token Flow in Azure AD
- Why do Refresh Token expires after every 7 days ? Does it affects the file upload on production
- Difficulty Generating Refresh Token in Akeneo OAuth2 Integration
- How do I invalidate a refresh jwt on logout? - Nodejs and Reactjs
- Linkedin API : No refresh token with accessToken
- OAuth2 Via GitHub Api - Refresh Token missing
- Spotify api returning invalid refresh token even though the refresh token is new
- Refresh token in Desktop App for OAuth2 Authorization Code Flow
- Better approach to use refresh token rotation and reuse detection with Amazon Cognito
- Unable to retrieve refresh_token via hybrid oauth2 flow
- Refresh TOKEN and PKCE extension
- How to implement refresh token in django-oauth-toolkit? I'm able to get access_token but the refresh token isn't coming with it
- What is the security risk of having longer Refresh token in Authorization server?
- MS Graph Access Token Refresh with GuzzleHttp
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
For a desktop app you should follow the recommendations from RFC8252. Without a token refresh you will get usability problems. Eg access token expires after 15 or 30 minutes, then user experiences a re-opening of the system browser.
This might be fine for a high security app, such as for banking, but for most apps it is not what you want. Alternatives such as long lived access tokens are bad from a security viewpoint, since the long lived value is then exposed on every API request.
You won't be able to use silent renew via hidden iframes either, since you don't have that much control over the system browser. You can only open it by executing a URL.
So you have these main choices, and maybe you can explain trade offs to stakeholders. You won't be able to implement a workaround in code:
Locking down what can be done with an access token issued to the desktop app - using scopes and claims - is usually the main mitigation of this type of security concern.