In the new privacy age, browsers are getting more and more concerned with storing 3rd party http cookies. And, since WordPress’ auth system relies on http cookies, it’s become much harder to make this work reliably between browsers, extensions, caching and other browser privacy features.
Since SureFeedback is a cross-domain plugin, we have run into this issue more and more often recently. New browser privacy controls adversely impact the user experience in SureFeedback’s cross platform experience by preventing access to third-party cookies, which are used for WordPress authentication.
Enter JSON Web Tokens
JSON Web Tokens (or JWT) are a secure way to handle authentication without the need to rely on user sessions. This means it’s possible to store the user’s authentication without the need for cookies.
JSON Web Tokens rely on Refresh Tokens, which are typically long-lived and are used to request new Access Tokens after the shorter-lived Access Tokens expire.
Unfortunately, it was not always suitable since there is no persistent storage mechanism in a browser that can assure access by the intended application only. As there are vulnerabilities that can be exploited to obtain access and refresh tokens and grant malicious actors access to protected resources, storing JWTs in the browser has been strongly discouraged.
Refresh Token Rotation
Auth0 recently announced a new feature called “Refresh Token Rotation”, which solves the issue of a malicious actor “stealing” a refresh token. We love this idea so much, we’ve ported this functionality over to SureFeedback.
How does it work?
In simple terms, a Refresh Token is invalidated and a new one is issued as soon as it’s used. That means a refresh token can only be used once to obtain an access token. This prevents re-use by malicious actors since a refresh token can only be used once to obtain an access token.
And, since a new refresh token is issued each and every time a new page is loaded on SureFeedback, refresh tokens are constantly being rotated and invalidated.
When a user needs a new Access Token, it sends the Refresh Token with the request to our endpoint to get a new Refresh Token and Access Token pair. As soon as the new pair is issued, the Refresh Token used in the request is invalidated. This helps safeguard from replay attacks resulting from compromised Refresh Tokens.
The reuse protection mechanism works regardless of whether the user or the malicious actor is able to exchange a Refresh Token for a new pair before the other. As soon as reuse is detected, all subsequent requests using any current or prior refresh tokens will be denied until the user signs in again.
Additionally, JWT authentication only applies to the REST API, which eliminates a potential malicious actor to gain access to your wp-admin or other areas of your WordPress install.
A Better User Experience
What does this all mean? A much better user experience. With this new feature, users will be able to use any browser, including those with extreme privacy features, ad-blockers and the like.
This feature is currently available in the 4.2 version of the plugin. Upgrade to the latest version!