Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Epic: Re-design refresh token handling #3519

Open
leastprivilege opened this issue Aug 5, 2019 · 7 comments
Open

Epic: Re-design refresh token handling #3519

leastprivilege opened this issue Aug 5, 2019 · 7 comments
Milestone

Comments

@leastprivilege
Copy link
Member

@leastprivilege leastprivilege commented Aug 5, 2019

ideas

  • keep history of refresh tokens to enable revocation in case the same token gets refreshed twice
  • bind refresh token to session cookie for SPA scenarios (maybe less and less feasible with ongoing browser cookie hardening)

related

#2610
#3245

@brockallen

This comment has been minimized.

Copy link
Member

@brockallen brockallen commented Aug 9, 2019

  • soft delete, and future RT usage for invalid tokens will have better logging
@leastprivilege

This comment has been minimized.

Copy link
Member Author

@leastprivilege leastprivilege commented Sep 19, 2019

Consider supporting scope parameter on RT requests

#3644

@brockallen

This comment has been minimized.

Copy link
Member

@brockallen brockallen commented Dec 10, 2019

Related: #3354

@brockallen

This comment has been minimized.

Copy link
Member

@brockallen brockallen commented Dec 10, 2019

Related: #1056

@brockallen

This comment has been minimized.

Copy link
Member

@brockallen brockallen commented Dec 10, 2019

Related: #2976

@stale

This comment has been minimized.

Copy link

@stale stale bot commented Jan 10, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Jan 10, 2020
@stale stale bot removed the wontfix label Jan 10, 2020
@leastprivilege

This comment has been minimized.

Copy link
Member Author

@leastprivilege leastprivilege commented Jan 21, 2020

If the original token request was made using e.g. MTLS - we could bind the refresh token to the confirmation method -

IOW - the client would need to use the same client certificate for refreshing the token as it used to request the initial token. Might be useful for public native clients where no client secret is used.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.