oauth2-server-php icon indicating copy to clipboard operation
oauth2-server-php copied to clipboard
verified publisher icon bshaffer

refresh_token flow removes refresh token after first use regardless of settings

Open datamystic opened this issue 3 years ago • 1 comments

Using https://developers.google.com/oauthplayground, I confirmed that this library removes the refresh_token after the first use, regardless of the always_issue_new_refresh_token and unset_refresh_token_after_use settings e.g.

$server->addGrantType(new OAuth2\GrantType\RefreshToken($storage), array(
	'always_issue_new_refresh_token' => false,
	'unset_refresh_token_after_use' => false,
	'refresh_token_lifetime'         => 3600,  
));

I eventually worked around this by commenting out the code in

public function unsetRefreshToken($refresh_token)

and I will periodically remove expired access tokens from the DB with a script. Yuck.

datamystic avatar Feb 01 '22 00:02 datamystic

The problem seems to be, that the config option 'always_issue_new_refresh_token' is not respected in /vendor/bshaffer/oauth2-server-php/src/OAuth2/GrantType/RefreshToken.php

Another (temporary) solution to the problem is therefore to change line 144 from: $issueNewRefreshToken = $this->config['always_issue_new_refresh_token'];

to

$issueNewRefreshToken = true;

It would be nice to have the code respect the config-options.

michdorf avatar Nov 07 '22 09:11 michdorf