Blog

cbSecurity 2.13 Released with Refresh Tokens Support

ColdBox MVC, Modules, News, Releases, Security
Luis Majano September 02, 2021

Spread the word

Luis Majano

September 02, 2021

Spread the word

Share your thoughts

Ortus Solutions

We are incredibly excited to release cbSecurity version 2.13.0 today. This release packs a big punch in terms of features for our JWT support for RESTFul APIs. We are excited to announce full refresh token support and much more.

# Install
install cbsecurity

# Update
update cbsecurity

Refresh Tokens

ColdBox Security supports the concept of refresh tokens alongside the normal JWT access tokens.

What Is a Refresh Token?

A refresh token is a credential artifact that lets a client application get new access tokens without having to ask the user to log in again. Access tokens may be valid for a short amount of time. Once they expire, client applications can use a refresh token to "refresh" the access token.

The client application can get a new access token as long as the refresh token is valid and unexpired. Consequently, a refresh token that has a very long lifespan could theoretically give infinite power to the token bearer to get a new access token to access protected resources anytime. The bearer of the refresh token could be a legitimate user or a malicious user.

You can read all about how we implemented refresh tokens for ColdBox security here: https://coldbox-security.ortusbooks.com/jwt/refresh-tokens

What's New With 2.13.0

Added

  • Adobe 2021 Support
  • Migration to GitHub Actions from Travis CI
  • Refresh tokens support
  • Refresh token endpoint /cbsecurity/refreshToken for secure refresh token generation
  • Manual refresh token method on the JwtService : refreshToken( token )
  • Auto refresh token header interceptions for JWT validators
  • Detect on authenticate() if the payload is empty and throw the appropriate exceptions
  • Added ability for the authenticate( payload ) to receive a payload to authenticate
  • Added ability to recreate the token storage using a force argument getTokenStorage( force = false )
  • Ability for the parseToken() to choose to store and authenticate or just parse

Fixed

  • Unique jti could have collisions if tokens created at the same time, add randomness to it
  • TokenExpirationException not relayed from the base jwt library
  • If variables.settings.jwt.tokenStorage.enabled is disabled all invalidations failed, make sure if the storage is disabled to not throw storage exceptions.

Add Your Comment

Recent Entries

Ortus June 2024 Newsletter!

Ortus June 2024 Newsletter!

Welcome to the latest edition of the Ortus Newsletter! This month, we're excited to bring you highlights from our sessions at CFCamp and Open South Code, as well as a sneak peek into our upcoming events. Discover the latest developments in BoxLang, our dynamic new JVM language, and catch up on all the insightful presentations by our expert team. Let's dive in!

Maria Jose Herrera
Maria Jose Herrera
June 28, 2024
BoxLang June 2024 Newsletter!

BoxLang June 2024 Newsletter!

We're thrilled to bring you the latest updates and exciting developments from the world of BoxLang. This month, we're diving into the newest beta release, introducing a new podcast series, showcasing innovative integrations, and sharing insights from recent events. Whether you're a seasoned developer or just getting started, there's something here for everyone to explore and enjoy.

Maria Jose Herrera
Maria Jose Herrera
June 28, 2024
BoxLang 1.0.0 Beta 3 Launched

BoxLang 1.0.0 Beta 3 Launched

We are thrilled to announce the release of BoxLang 1.0.0-Beta 3! This latest beta version is packed with exciting new features and essential bug fixes, including robust encryption functionality, enhanced Java interoperability, and more efficient event handling. Key highlights include the introduction of query caching capabilities, seamless coercion of Java Single Abstract Method (SAM) interfaces from BoxLang functions, and support for virtual thread executors. So, let’s dive into the details of what’s new in BoxLang 1.0.0-Beta 3 and how you can start leveraging these updates today!

Luis Majano
Luis Majano
June 28, 2024