We have a WinForms app that the users have running on servers that usually won’t be shut down, and would like to integrate Auth0 into this app for authorization in our API when requests are made. My concern is though, will the token expire and cause issues with not being logged in? If so, is it possible to keep users logged in until they manually log out or close the app?
In your initial authentication request you can request that a refresh token be issued and then use that refresh token to obtain (refresh) other needed tokens. At this time, issued refresh tokens by the Auth0 service are valid until they are explicitly revoked so you could meet your requirement through their use (https://auth0.com/docs/tokens/refresh-token/current).
For Winforms what I’ve done is write the refresh token to a file in IsolatedStorage and read that anytime I need to get a new token. (I should probably encrypt it?) I get a new token for each request and don’t bother with temporarily storing the access token and checking the expiration time.
I would advise to you to reuse the access tokens across requests; you may choose to omit the an expiration check and just reuse it until it fails at which time you would get a new one, but you should cache that access token and reuse it for more than just one request.
Thank you for the response. How do I request refresh token to be issued? I tried to add the “offline_access” to my scopes, logged out and log in again to retrieve new login result with the new scope added, but my RefreshToken and RefreshTokenHandler in the returned object are both null. I still receive access token, expiration and id token correctly.
If the authentication request is for API authorization (an access token for a custom API will be issued as part of the response) then besides include that scope you need to ensure at the respective API settings page that refresh tokens can be issued (Allow Offline Access toggle).
@jmangelo I’m pretty sure I saw guidance from someone else on this topic that said exactly the opposite-- to just get a new access token when you need it. my winforms app isn’t working with data on an API, it’s mostly licensing, so it’s not grabbing a new access token every 2 seconds… every two hours or so. But I just modified it to cache the access token when it first loads into memory and use it til expiration. I don’t remember where I saw that… maybe it just meant don’t store the access token on HDD.
Well, sometimes guidance is just like opinions; everyone has one. Another problem with guidance is context, for example, if you say to me the access token is only used every two hours and the lifetime of that token is configured to be 5 hours, caching it or not does not make a substantial difference.
If however the token is continuously used it would be a different matter. I also agree that caching can take different levels, you can cache it just in-memory, likely the easiest approach and in order for that token to leak the process would need to be running and a more advanced attack employed.
On the other hand if you wanted to cache it across multiple executions of the application then you need to me more careful where you persist that token. However, if you already need to cache refresh tokens then you likely already solved the problem of where to store sensitive information so storing one more piece of information should not make much difference.
I’m still stuck on the unauthorized issue
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.