You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
BUSINESS PROBLEM
Currently the Venafi PKI Monitoring Secrets Engine is bootstrapped with both an Access Token and a Refresh Token, assuming security best practices are followed and the validity of the Access Token is limited to a few days. The Secrets Engine uses the Access Token until it expires and then it responds by using the Refresh Token to obtain a new pair of tokens and this process repeats until TPP no longer allows the tokens to be refreshed.
PROPOSED SOLUTION
Require only a Refresh Token to bootstrap the Venafi PKI Monitoring Secrets Engine which would have a few advantages. One is that the provided Refresh Token would need to be used immediately by the Secrets Engine to obtain a new pair of tokens and that ensures the original Access Token cannot be used by any other application or person because the act of refreshing it immediately invalidates it.
Another advantage is that the Secrets Engine will have immediate access to the expiration date of the Access Token so it would be able to store and monitor that date to proactively refresh the token within day of its expiration, for example. A general objective is to minimize the amount of data a user is required to provide to get things working which is why the original expiration date wasn't considered to be specified along with the Access Token and Refresh Token in the current implementation.
Assuming this enhancement is accepted, the access_token parameter would then only apply for the case of a long-validity and/or non-refreshable grant.
CURRENT ALTERNATIVES
None other than to provide both the Access Token and Refresh Token as described in the BUSINESS PROBLEM section.
The text was updated successfully, but these errors were encountered:
BUSINESS PROBLEM
Currently the Venafi PKI Monitoring Secrets Engine is bootstrapped with both an Access Token and a Refresh Token, assuming security best practices are followed and the validity of the Access Token is limited to a few days. The Secrets Engine uses the Access Token until it expires and then it responds by using the Refresh Token to obtain a new pair of tokens and this process repeats until TPP no longer allows the tokens to be refreshed.
PROPOSED SOLUTION
Require only a Refresh Token to bootstrap the Venafi PKI Monitoring Secrets Engine which would have a few advantages. One is that the provided Refresh Token would need to be used immediately by the Secrets Engine to obtain a new pair of tokens and that ensures the original Access Token cannot be used by any other application or person because the act of refreshing it immediately invalidates it.
Another advantage is that the Secrets Engine will have immediate access to the expiration date of the Access Token so it would be able to store and monitor that date to proactively refresh the token within day of its expiration, for example. A general objective is to minimize the amount of data a user is required to provide to get things working which is why the original expiration date wasn't considered to be specified along with the Access Token and Refresh Token in the current implementation.
Assuming this enhancement is accepted, the
access_token
parameter would then only apply for the case of a long-validity and/or non-refreshable grant.CURRENT ALTERNATIVES
None other than to provide both the Access Token and Refresh Token as described in the BUSINESS PROBLEM section.
The text was updated successfully, but these errors were encountered: