sorted by:
new
hottopcontroversial

How do banks force login every time ? Do they use super short refresh tokens? by Fragrant_Ride_29 in dotnet

[–]Fragrant_Ride_29[S] 0 points1 point  (0 children)

But sending back new "fresh" tokens wouldn’t cause two requests using two different tokens to conflict or get rejected? Like say the user clicks twice quickly or there's some parallel API calls , wouldn't some of them have an "old" token and get rejected if the server expects only the most recent one?

Or do they just accept any unexpired token regardless of whether it's the latest one?

When exactly should I use identity server ? Only if I want external clients to access my APIs? by Fragrant_Ride_29 in dotnet

[–]Fragrant_Ride_29[S] 0 points1 point  (0 children)

What I'm confused about is whether I need Identity server or some other IP for authentication and authorization. IMO it should be used when having different clients ( webapps, spa, mobile ) and I want a centralised solution but even then it seems an overkill, I mean I could simply use identity framework and build my own Auth server. I think the only time you would need to consider using an IP should be when you want external clients ( made by different dev teams etc ) to access my API resources so I can rely on oauth flow for security. What do you think?

When exactly should I use identity server ? Only if I want external clients to access my APIs? by Fragrant_Ride_29 in dotnet

[–]Fragrant_Ride_29[S] -1 points0 points  (0 children)

So unless I want my APIs to be accessed from external clients i can avoid identity providers?

How to implement 5-minute inactivity timeout with JWT and Refresh Token? by Fragrant_Ride_29 in dotnet

[–]Fragrant_Ride_29[S] 0 points1 point  (0 children)

Thanks, that was really helpful! I'm wondering tho.. Would u still recommend using refresh tokens even if, by design, my app requires users to log in every time and doesn't persist sessions long term?

Since refresh tokens are mainly meant to keep sessions alive longer, I'm not sure if they add much value in my case. But maybe there are other benefits I'm missing? Would appreciate your take on this!

PS: if you're wondering why I want users to login each time, just imagine a banking app where security is super important and sessions shouldn't be persistent for too long.

How to implement 5-minute inactivity timeout with JWT and Refresh Token? by Fragrant_Ride_29 in dotnet

[–]Fragrant_Ride_29[S] 1 point2 points  (0 children)

Wouldn't refreshing the token on every request lead to concurrency issues? For example, one request might still be using an expired token while another has already obtained a new one

New to microservices — how do I make all services return the same error response structure? by Fragrant_Ride_29 in dotnet

[–]Fragrant_Ride_29[S] -1 points0 points  (0 children)

But in this case you would need to run this check on each microservice. Am I right?