[FEAT] Add token refresh API call to GraphQl and REST API

[damienwebdev]

Description (*)

As a user, when I am authenticated via token, I would like to be able to refresh my token (either get a new one, or refresh the expiration on my existing token). Currently, with the REST API and GraphQl APIs, there's no known way to do this.

Expected behavior (*)

As a developer, I can securely refresh a customer's authentication token.

Benefits

Basic usability and security improvement for customers. Otherwise, users are forced to re-auth every hour which is obnoxious.

Additional information

cc: @zetlen

Moved from magento/magento2#26860

[zetlen]

This is very important! Magento's usual mechanism for managing login lifetime has been PHP sessions using session ID cookies. The session maintained by the frontend area is heavy, so other areas such as GraphQL do not maintain it, even after a user has logged in by supplying a bearer token. (GraphQL will honor a valid Magento session, however.)

Because this session mechanism isn't available in GraphQL, it's also not available in PWA. (PWA does not use the Magento front controller for performance reasons.) Without a full API for expiring and refreshing bearer tokens, PWA user logins simply expire when the tokens naturally expire.

This is against the ecommerce best practice of maintaining "warm" authentication of logged-in users for personalization purposes. Upgrading the login to "hot" so that shoppers can access PII should require a fresh login, but the store should remember the user's identity for a much longer period. A refresh token gives us a natural place to store auth credentials for partial user permissions in a "warm auth" scenario.

[damienwebdev]

Related to:

magento/magento2#30820
magento/magento2#29922
magento/magento2#26112

[milindsingh]

@zetlen This really needed! We are developing PWAs for so long and the basic feature for token refresh is missing in Magento.

I would really like to work on it if anyone can guide me?

[eperezbanana]

we actually really need this, is anyone working on it?

[alexvais]

Right now is not there way to refresh the customer token authorize with the same token?

how you can build an APP without refreshing the token?

Supposing that in the APP you logged in just one time forever.

[mohdaali27]

Any update on this ?

[kayoslab]

Is there any progress on this topic? I am looking into this for a mobile app, which is supposed to access the Magento API.

As stated in the authentication methods documentation "Registered users use token-based authentication to make web API calls using a mobile application". This results in obtaining tokens with a short lifetime and no possibility to refresh those. With the current API implementation there is no way to prevent the user from being logged out after the TTL of this access token has expired.

As @zetlen sums up correctly, it goes against best practice in Ecommerce not to provide a way to keep a users session alive.

[electroidru]

I'm one more person who agreed with @kayoslab and @zetlen that without proper json web token-based authentication which should include authentication and refresh tokens, currently magento 2 token-based authentication is useless.

The only way I see is to implement custom module for JWT and extend current rest api with new endpoints.

[Vinai]

Regarding JWT this is still as current as back when it was written 5 years ago:
https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid

[electroidru]

Regarding JWT this is still as current as back when it was written 5 years ago: https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid

I don't think that't directly related. It's just claim to use cookie over https. However if we are talking about mobile app development as example there's cookies isn't usable. If you need more security you can implement Proof Key for Code Exchange for example (https://datatracker.ietf.org/doc/html/rfc7636).

Anyway I don't mind if another format will be used, but with proper OAuth2 protocol where access and refresh tokens will be available.

[yeras-is]

Hey Magento team, it's 2 years since began on this issue, any updates?

[yeras-is]

@real34 @medigeek @andimov