New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refresh Token Rotation #394
Comments
If you want a single use token, why not just use the JWT? Can you describe a use case where you want FusionAuth to issue the JWT as a result of authentication, and also issue a Refresh Token for a single use? |
@robotdan : I guess, there is a misunderstanding. Please correct me, if I'm wrong. The result of authentication is having a access token (AT) and a refresh token (RT). The AT is used to access the secured resource and has a rather short live span. In case a RT is somehow leaked, an attacker can use the RT to get an AT to access the protected resource. And as the RT can be used multiple times, the leakage probably stays undetected. In this scenario, when using a refresh token to get a new AT, it must also return a new RT as well and all possible other RTs from this user must become invalid. Ofcourse there are config possibilities, e.g. a definable number of times a RT can be used or how long a RT is valid. |
Ah, ok, got it. I think you're asking for a rolling refresh token, or sometimes called refresh token rotation. This is something we're looking at already. Here is one of the recommendations that is being made in the 2.1 draft spec. Does this description sound like what you're after?
https://tools.ietf.org/id/draft-parecki-oauth-v2-1-00.html#name-refreshing-an-access-token |
Yes, refresh token rotation is exactly the thing, I'm after but didn't know how to name it. Great to hear, you're already looking into that one. |
We can leave this issue open and use it to track the feature. |
Single Use Refresh Tokens
Problem
As for now a refresh token can be used to refresh a JWT as many times as long the refresh token is valid and not retracted.
Regarding security considerations, I'd like to have a refresh token, that can be used to refresh a JWT only once.
Solution
The refresh response must return next to the new JWT a new valid refresh token. The used refresh token must become invalid immediately.
The applications security configuration must offer to use single use refresh tokens.
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
The text was updated successfully, but these errors were encountered: