-
Notifications
You must be signed in to change notification settings - Fork 117
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refresh token allowed as Access Token #391
Comments
Hi team, |
Adding an expiration to the refresh token would break the current plugin as the code specifically uses:
to check if it is doing a refresh or not. I agree, it seems like those are two separate concerns. The refresh token should probably just have a claim that indicates specifically it is for refresh. Or the loadbyUserName could just take an optional flag indicating it's a refresh operation. |
I tested this as well locally and can confirm that you can replace the access_token with the refresh_token and use it to authenticate successfully. The best solution might be to have the That would allow the refresh token to have a configurable expiration date (if desired) and still be identified as a refresh_token via the custom claim. I can fix this and submit a PR |
Adding a custom claim sounds good to me |
Issue #391 - Don't allow refresh_token for auth; Add refreshExpiration
@alvarosanchez Any update on this? I see you merged a fix but it never passed the build :) |
Passing the refresh token instead of the access token when using JWT seems to be accepted. I added an "else" case to the if(expiry) check in RestAuthenticationProvider to throw an exception in this case, since this seems to be a security vulnerability (since refresh token does not expire). If my understanding of JWT is incorrect here, please let me know, but thought this would be an improvement to the otherwise great plugin.
The text was updated successfully, but these errors were encountered: