Securing ProjectHuddle Authentication with Refresh Token Rotation

By Andre Gagnon

November 2, 2020

man reclining and looking at his laptop
Photo by cottonbro on Pexels.com

In the new privacy age, browsers are getting more and more concerned with storing 3rd party http cookies. And, since WordPress’ auth system relies on http cookies, it’s become much harder to make this work reliably between browsers, extensions, caching and other browser privacy features.

Since ProjectHuddle is a cross-domain plugin, we have run into this issue more and more often recently. New browser privacy controls adversely impact the user experience in ProjectHuddle’s cross platform experience by preventing access to third-party cookies, which are used for WordPress authentication.

Enter JSON Web Tokens

JSON Web Tokens (or JWT) are a secure way to handle authentication without the need to rely on user sessions. This means it’s possible to store the user’s authentication without the need for cookies.

JSON Web Tokens rely on Refresh Tokens, which are typically long-lived and are used to request new Access Tokens after the shorter-lived Access Tokens expire.

Unfortunately, it was not always suitable since there is no persistent storage mechanism in a browser that can assure access by the intended application only. As there are vulnerabilities that can be exploited to obtain access and refresh tokens and grant malicious actors access to protected resources, storing JWTs in the browser has been strongly discouraged.

Refresh Token Rotation

Auth0 recently announced a new feature called “Refresh Token Rotation”, which solves the issue of a malicious actor “stealing” a refresh token. We love this idea so much, we’ve ported this functionality over to ProjectHuddle.

How does it work?

In simple terms, a Refresh Token is invalidated and a new one is issued as soon as it’s used. That means a refresh token can only be used once to obtain an access token. This prevents re-use by malicious actors since a refresh token can only be used once to obtain an access token.

And, since a new refresh token is issued each and every time a new page is loaded on ProjectHuddle, refresh tokens are constantly being rotated and invalidated.

Reuse Detection

When a user needs a new Access Token, it sends the Refresh Token with the request to our endpoint to get a new Refresh Token and Access Token pair. As soon as the new pair is issued, the Refresh Token used in the request is invalidated. This helps safeguard from replay attacks resulting from compromised Refresh Tokens.

The reuse protection mechanism works regardless of whether the user or the malicious actor is able to exchange a Refresh Token for a new pair before the other. As soon as reuse is detected, all subsequent requests using any current or prior refresh tokens will be denied until the user signs in again.

Additionally, JWT authentication only applies to the REST API, which eliminates a potential malicious actor to gain access to your wp-admin or other areas of your WordPress install.

A Better User Experience

What does this all mean? A much better user experience. With this new feature, users will be able to use any browser, including those with extreme privacy features, ad-blockers and the like.

Availability

This feature is currently available in the 4.1 beta version of the plugin. If you’re interested in testing this, you can opt-into beta versions on the ProjectHuddle plugin menu, under ProjectHuddle > Account.

Get better feedback today.

Save countless hours and headaches on client feedback.

Learn More
Andre is the founder of ProjectHuddle, a dead-simple client feedback plugin for WordPress professionals.