Refreshing tokens with both gitlab and github as authentication providers

[tanshunyuan]

Hi there,
https://next-auth.js.org/tutorials/refresh-token-rotation I have referred to this article but I am still left with doubts on how should I implement refresh token rotation when both my providers are github and gitlab. I have seen the documentation from github indicating that to obtain refresh token, I first need to migrate my github oAuth app to github app. For gitlab, they do provide a refresh token but it does not have an expiry time attached to it. I am lost as to what I should do next, should I just ignore token rotation or find a way to make the whole token refresh thing work.

[balazsorban44]

With only using cookies, it might be hard to support multiple providers, as we have a limit of 4096 bytes in cookie size in most browsers. I was playing with the thought of splitting cookies when they near this limit, but I don't have a clear solution yet. A /token endpoint would help #951 once it is implemented correctly, we could persist tokens in the database and do the rotation for you for multiple providers. Unfortunately, it looks like that this is not likely to be implemented very soon.

[tanshunyuan]

Hmm, ok I see. So currently it would not be possible to mimic vercel's login system until we have a /token endpoint?

[balazsorban44]

I don't have experience with Vercel's login system, and I don't know how they solve this. Do they use cookies or a database?

[tanshunyuan]

Man idk haha, I am not sure how vercel deals with their login system. I just wanted to mimic their login system so that on my side users can login with either github or gitlab and import their projects. By the way, is there any articles that I can read to polish up on the lack of my knowledge on login flow and authentication.

[balazsorban44]

We have some tutorials over here: https://next-auth.js.org/tutorials

https://oauth.net/2/ is a great resource as well.

https://auth0.com/docs/flows/authorization-code-flow

I started with this blog post. Auth0 has great articles in this field, with some searching, you will find a lot of info about the different tokens and techniques.

After feeling more comfortable with it, I started reading OAuth and OIDC specs directly. I don't have a link, but just search for anything in Google related to this topic, and put oauth spec behind. They are LONG and - for some - boring pages, but you will definitely learn a lot. Hope this helps! 😊

[tanshunyuan]

Alright thanks a lot man!

[StefanSelfTaught]

You don't need to implement token rotation with Github OAuth, the token does not expire although the person who authorized the OAuth app can revoke the token. I think it's the same with Gitlab not 100% sure, they do provide a refresh token in case you want to refresh ...

[tanshunyuan]

For github, if I don't refresh the access token will it pose a security issue. For gitlab with them providing me a refresh token, do I have to manually create a expiry date for the refresh token?

[StefanSelfTaught]

There is a difference between Github App and Github OAuth App. I don't think you can refresh Github OAuth access token. Yes, I think you can provide an expiry date if you want, see more on their docs

[tanshunyuan]

For now, only Github OAuth can be implemented instead of Github App on next-auth right? Since the authorization url is linked towards oauth. Github OAuth App does not provide a refresh token and a access token expiry, so I guess the only way to refresh the access token is to migrate Github OAuth to Github App which is currently not possible now.

Still got one more concern that is, is it normal/secure if I do not refresh the access token for the case of github or gitlab.

I am sorry if this all sound confusing because I am still trying to piece the whole login thing.

[balazsorban44]

Generally, I think you want the access token to have a shorter lifetime in potentially non-secure environments (like not machine-to-machine communication), because if it leaks out, the intruder wouldn't have much time to misuse it.

[tanshunyuan]

What would be a example of a non-secure environments? Like passing access token on the frontend to the backend?