gin-jwt icon indicating copy to clipboard operation
gin-jwt copied to clipboard

Published 20 hours ago verified publisher icon appleboy

Refresh Token implementation and RFC 6749

Open ewgRa opened this issue 5 years ago • 6 comments

As far as I see gin-jwt consider Access token as same as Refresh token. When we login, in response we can find a token that later we can send to refresh endpoint. Additionally, we have also MaxRefresh settings, that allows us to refresh token, even if it is expired. As far as I understand this approach increases security risks. The idea of refresh token - get it once, hide it better than access token and use it only for auth purposes, but not for access to resources.

Here RFC that clarify flow: https://tools.ietf.org/html/rfc6749#section-1.4.

Question is: what is the reason that gin-gwt implement it like this? How about to follow RFC6749?

ewgRa avatar Sep 01 '19 22:09 ewgRa

Any update?

ewgRa avatar Jun 20 '20 12:06 ewgRa

Any update? it has been more then a year since the initial request for this feature

meruiden avatar Nov 03 '20 13:11 meruiden

For the same reason I have decided not to use it and implement my own. A shame.

merfrei avatar Apr 17 '21 15:04 merfrei

@appleboy would you consider merging a PR implementing this ? That would be a breaking change for v3.0 I guess.

gnuletik avatar Apr 17 '21 15:04 gnuletik

This issue makes this package non usable for me.

axispx avatar Jun 13 '21 03:06 axispx

You could also explicitly state that in the docs the refresh token isn't implemented as one would expect, which would make everything a lot clearer

FunnyPocketBook avatar Mar 07 '24 20:03 FunnyPocketBook