Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rotating refresh token #207

Open
oharsta opened this issue Dec 10, 2024 · 1 comment
Open

Rotating refresh token #207

oharsta opened this issue Dec 10, 2024 · 1 comment
Labels
not-ready

Comments

@oharsta
Copy link
Member

oharsta commented Dec 10, 2024
edited
Loading

See https://www.rfc-editor.org/rfc/rfc6749#section-10.4 and the behaviour supported by Okta: https://developer.okta.com/docs/guides/refresh-tokens/main/#refresh-token-rotation
@oharsta oharsta converted this from a draft issue Dec 10, 2024
@baszoetekouw
Copy link
Member

baszoetekouw commented Dec 11, 2024
edited
Loading

The spec says (section 10.4):

The authorization server MUST verify the binding between the refresh
token and client identity whenever the client identity can be
authenticated. When client authentication is not possible, the
authorization server SHOULD deploy other means to detect refresh
token abuse.

For example, the authorization server could employ refresh token
rotation in which a new refresh token is issued with every access
token refresh response.

I read that to mean: "If the client does not reissue refresh tokens on use, the server SHOULD deploy other means to detect refresh token abuse". So we can only implement static refresh tokens IF we have other means to detect abuse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
not-ready
Projects
OpenConext-oidcng
Status: New
Milestone
No milestone
Development

No branches or pull requests
2 participants
@oharsta @baszoetekouw