Issue #391 - Don't allow refresh_token for auth; Add refreshExpiration #402
Conversation
|
Looks like the Travis build is an issue with Oracle JDK 8, not specific to my change |
|
I appreciate you updating the Travis build. Still, this test fails:
|
|
I've pushed this commit to try to fix the test: 0d6304f Please merge it in your branch and push to the PR branch again |
|
Thanks. I think I was only running the tests in the base subproject so I might’ve missed this one. |
|
Merged and ran test-app.sh and was successful locally. We will see if travis works. Nice test build BTW, I love the docker memcache and creating all the test applications on the fly. I had just been running the tests locally via gradle, I didn't even realize it had all that. |
|
I just thought of another change that might be needed for people that are upgrading to this version. Their existing refresh token won't have the new claim, so when they go to refresh it, it won't go through the loadFromRefreshToken path. I think making the check still include the null expiration would be ok: Once a new token is issued, it would have the claim and be prevented from being used as an access token. I guess the other option to this would be to include an optional parameter to |
|
Good idea! PS: I've restarted the build just in case. |
|
I'll do a 2.x release next Monday. Thank you very much for your contributions! |
Prevent refresh_token from being used for authentication as well as adding the option to specify an expiration for the refresh_token.
Documentation has been updated and test cases added for the new functions.