oauth2-server-php icon indicating copy to clipboard operation
oauth2-server-php copied to clipboard
verified publisher icon bshaffer

Inconsistent refresh token options

Open guillerodriguez opened this issue 8 years ago • 3 comments

I have always_issue_new_refresh_token set to false, and the refresh token lifetime to the default value (14 days). However I found that the refresh token becomes invalid after first use (even though it has not expired yet).

I found that there is an option unset_refresh_token_after_use, which is true by default.

Does this combination make sense? If we set always_issue_new_refresh_token to false, shouldn't the refresh token be valid until it expires?

guillerodriguez avatar Apr 20 '17 09:04 guillerodriguez

I'll have to look at this, but it might be behaviour by design. I'll assign this for now but I might not get to it for a couple weeks.

bluebaroncanada avatar Aug 11 '17 21:08 bluebaroncanada

@guillerodriguez I was looking almost the the issue as yours.

In my case, I have always_issue_new_refresh_token => true and unset_refresh_token_after_use => false.

always_issue_new_refresh_token is used to create a new refresh_token when you refresh your access_token. If it is false, your request will not return a new refresh_token and the old one will expire depends on your unset_refresh_token_after_use config. So, if it is false, you can refresh your token until it expires. If it is true, you can always use the new one.

unset_refresh_token_after_use is used to revoke the old refresh_token when you refresh your access_token. It is true by default and, in this case, you will got an error requesting a second refresh with the old refresh_token (no matter its lifetime). If you set it to false, the old refresh_token can be reused and will only expire by the refresh token lifetime.

Your access_token can be refreshed any time and it will not be revoked by the refreshing process (will be by access token lifetime).

See: https://github.com/bshaffer/oauth2-server-php/blob/master/src/OAuth2/GrantType/RefreshToken.php#L44

https://github.com/bshaffer/oauth2-server-php/blob/master/src/OAuth2/GrantType/RefreshToken.php#L148

It took me a lot of time to find that. It really need to be in the documentation. I also think unset_refresh_token_after_use should be false by default, avoiding some browser tabs restore error (I described it there: https://github.com/websanova/vue-auth/issues/298).

peluprvi avatar Nov 29 '17 14:11 peluprvi

Revoking the refresh token is a security measure. It's described here: https://tools.ietf.org/html/rfc6749#section-6

The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token. The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client. If a new refresh token is issued, the refresh token scope MUST be identical to that of the refresh token included by the client in the request.

The explanation to the best of my knowledge: If a refresh token is compromised, an attacker would be able to make request which are indistinguishable from the user's normal requests. The only limit is the refresh token's expiration time. To combat this, a refresh token is made single use. When the attacker or the user tries to use a spent token, the API revokes all tokens since it can't know which request is legitimate.

MatthiasKunnen avatar Apr 19 '18 16:04 MatthiasKunnen