Need to limit how many times an OIDC refresh token can be used to get new tokens #12790
Assignees
Labels
bug
This bug is not present in a released version of Open Liberty
in:Security
Needs member attention
release bug
This bug is present in a released version of Open Liberty
release:200010
team:Security SSO
Comments
yannizhang2019
added
the
bug
|
In Liberty OIDC authorization flow, we limit how many tokens a client can be issued for a user, but we do not put token limit on refresh token which results unlimited access_tokens for a given refresh_token |
ayoho
added
the
release bug
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected behavior: Need to limit how many times an OIDC refresh token can be used to get new tokens
Current behavior: you can have unlimited requests to get the tokens. This can cause potentially large number of tokens accumulated.
Diagnostic information:
os linux
version 19.0.0.3
java.runtime = Java(TM) SE Runtime Environment (8.0.5.40 - pxa6480sr5fp40-20190807_01(SR5 FP40))
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: