Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Granting a new refresh_token when refreshing a token #22

Closed
dsquier opened this issue Jan 11, 2013 · 2 comments
Closed

Granting a new refresh_token when refreshing a token #22

dsquier opened this issue Jan 11, 2013 · 2 comments

Comments

@dsquier
Copy link
Contributor

dsquier commented Jan 11, 2013

When submitting a request for an access_token using either the 'Authorization Code' or 'Resource Owner Password Credential' grant, a refresh_token is provided. An example from the latter:

{"access_token":"df680f467c3a410ef615dad7cc480de547467144","expires_in":3600,"token_type":"bearer","scope":null,"refresh_token":"9a74026f2be71d8e81f13d5d607217d93c1ff52d"}

When using the refresh_token from above to request a new access_token, a new refresh_token is not provided, i.e.,

{"access_token":"4a3812a0638e9d4120ba3721e1a9158e72eacacb","expires_in":3600,"token_type":"bearer","scope":null}

While the spec does not strictly require a refresh_token be granted in this case, is it possible to do this?

Thanks much!
@bshaffer
Copy link
Owner

According to the spec, the refresh_token grant type MAY issue a new refresh token:

 The authorization server MAY issue a new refresh token, in which case
 the client MUST discard the old refresh token and replace it with the
 new refresh token.

As a result, I've added the option always_issue_new_refresh_token (defaults to FALSE) in the OAuth2_GrantType_RefreshToken class. So, by default a new refresh token is not issued, but you can easily configure this to do so.

I am open to changing the default to TRUE

@dsquier
Copy link
Contributor Author

dsquier commented Jan 11, 2013

This is perfect, thanks much!

On Friday, January 11, 2013, Brent Shaffer wrote:

According to the spechttp://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-6,
the refresh_token grant type MAY issue a new refresh token:

The authorization server MAY issue a new refresh token, in which case
the client MUST discard the old refresh token and replace it with the
new refresh token.

As a result, I've added the option always_issue_new_refresh_token(defaults to FALSE) in the
OAuth2_GrantType_RefreshToken class. So, by default a new refresh token
is not issued, but you can easily configure this to do so.

I am open to changing the default to TRUE


Reply to this email directly or view it on GitHubhttps://github.com//issues/22#issuecomment-12164033.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bshaffer @dsquier