Doesn't reuse the refresh token #67

Open
dgutov opened this Issue Aug 18, 2011 · 1 comment

Projects

None yet

2 participants

@dgutov
dgutov commented Aug 18, 2011

I'm using this gem to authenticate with Google APIs. When I do

token = token.refresh!

the new access token always has refresh_token field empty.
If I assign it the previous refresh_token manually, it works on the next refresh.

The draft section 1.5 step H says that issuing a new refresh token is optional, so maybe you should handle the case when the response to refresh request doesn't contain a refresh token and reuse the previous one.

@felipeelias

When you refresh the token and you don't get a response along with a refresh token (either new or same as previous), from my understanding, this means that you should not refresh this token again.

I think this is the same case when you request the access token for the "first time", if you get the refresh token in the response, you'll be able to refresh the token.

The specs are not clear (at least for me) whether you should return the same refresh token or not. The latest draft also suggests to employ refresh token rotation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment