fix(OAuth2): refresh token is optional (backport #26266) #26271
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![mergify[bot]](https://avatars.githubusercontent.com/in/10562?s=60&v=4){kind=small}
Don't overwrite refresh_token with an empty string, if no new refresh_token is received (i.e. the old one is still valid). Ref: https://www.rfc-editor.org/rfc/rfc6749#section-5.1 (cherry picked from commit 42be145)
frappe-pr-bot
pushed a commit
that referenced
this pull request
May 7, 2024
# [14.74.0](v14.73.0...v14.74.0) (2024-05-07) ### Bug Fixes * Apply configured perms on address list ([#26334](#26334)) ([#26335](#26335)) ([4307ab4](4307ab4)) * args is a stringified JSON ([98ece0e](98ece0e)) * changes for scheduler reliability (backport [#26292](#26292)) ([#26293](#26293)) ([7691afe](7691afe)) * **Data Import:** don't rely on permission for Data Import Log (backport [#26228](#26228)) ([#26250](#26250)) ([fd0a844](fd0a844)) * **Data Import:** scheduler not needed in dev mode (backport [#24667](#24667)) ([#26264](#26264)) ([9712f14](9712f14)) * disabled user login from login via link feature ([#26134](#26134)) ([#26140](#26140)) ([96b7542](96b7542)) * don't add creation index if one exists ([#26295](#26295)) ([#26297](#26297)) ([c74dcbd](c74dcbd)) * **Geo:** change Canadian dates to ISO 8601 format ([351cd04](351cd04)) * init db conn for unbuffered cursor if not set ([#26220](#26220)) ([#26256](#26256)) ([04afefb](04afefb)) * lstrip for query writes detection ([#26180](#26180)) ([#26252](#26252)) ([6ebfe54](6ebfe54)) * multistep webform page navigation ([d5a25f2](d5a25f2)) * **Navbar Settings:** reload page after save ([#26274](#26274)) ([#26275](#26275)) ([73f265b](73f265b)) * **oauth2:** refresh token is optional ([#26266](#26266)) ([#26271](#26271)) ([d6603c6](d6603c6)), closes [/www.rfc-editor.org/rfc/rfc6749#section-5](https://github.com//www.rfc-editor.org/rfc/rfc6749/issues/section-5) * only redirect to same domain (backport [#26304](#26304)) ([#26305](#26305)) ([c2f2d6c](c2f2d6c)) * perm query for dashboard (backport [#26239](#26239)) ([#26242](#26242)) ([4ab6a46](4ab6a46)) * reportview average of ints should be float (backport [#26284](#26284)) ([#26287](#26287)) ([c0f3912](c0f3912)) * Treeview DB lookup should perform the same preperation operations as method update_nsm in file nestedset.py ([#26199](#26199)) ([#26259](#26259)) ([01e08f8](01e08f8)) ### Features * `Desk User` role (backport [#22224](#22224)) ([#26237](#26237)) ([171e1d0](171e1d0)) * System Health Report (backport [#26046](#26046)) ([#26255](#26255)) ([f2d2d0c](f2d2d0c)) ### Performance Improvements * Reduce 1 redis call while dumping monitor logs (backport [#26337](#26337)) ([#26338](#26338)) ([75b2a86](75b2a86))
|
🎉 This PR is included in version 14.74.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Don't overwrite refresh_token with an empty string, if no new refresh_token is received (i.e. the old one is still valid).
Ref: https://www.rfc-editor.org/rfc/rfc6749#section-5.1
For example, Google only sends one refresh token on first authorization. The access token is pretty short lived. When it expires, we try to refresh it and receive a new access token – but no new refresh token. In this case we used to overwrite the refresh token, which remained valid, with an empty string. So the next refresh will not be successful anymore, the integration breaks after two cycles.
With this PR, we only change the refresh token when we actually receive a new one.
This is an automatic backport of pull request #26266 done by [Mergify](https://mergify.com).