New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

It is possible to invoke refresh_token flow with access_token (instead of refresh_token) #829

Closed
yuriyz opened this Issue Jun 20, 2018 · 1 comment

Comments

Projects
None yet
1 participant
@yuriyz
Contributor

yuriyz commented Jun 20, 2018

Reported in support ticket: https://support.gluu.org/authentication/5635/invoke-refresh_token-grant-type-with-an-access-token/

Currently it is possible to invoke the refresh_token grant type with an access_token. We used password grant_type to obain an access_token and a refresh_token. Afterwards we don NOT use the refresh_token but the access_token to invoke the refresh_token grant type.

Is this behaviour intended and if so where can we probably deactivate it?

@yuriyz yuriyz added the bug label Jun 20, 2018

@yuriyz yuriyz added this to the 3.1.4 milestone Jun 20, 2018

yuriyz added a commit that referenced this issue Jun 25, 2018

@yuriyz

This comment has been minimized.

Contributor

yuriyz commented Jun 25, 2018

done in 3.1.4 and master

@yuriyz yuriyz closed this Jun 25, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment