Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review accessToken and refreshToken behavior in other implementations #174

Closed
ilopmar opened this issue Feb 19, 2020 · 2 comments
Closed

Review accessToken and refreshToken behavior in other implementations #174

ilopmar opened this issue Feb 19, 2020 · 2 comments
Assignees
@jameskleeh
Labels
type: improvement A minor improvement to an existing feature
Milestone
2.0.0

Comments

@ilopmar
Copy link
Contributor

ilopmar commented Feb 19, 2020

According to the RFC: https://tools.ietf.org/html/rfc6749#section-1.4

Access tokens are credentials used to access protected resources

https://tools.ietf.org/html/rfc6749#section-1.5

Refresh tokens are credentials used to obtain access tokens

This implies that refresh tokens shouldn't be valid to access resources but only to get new access tokens.

At this moment Micronaut allows to access to resources using accessTokens.

Review how other implementations manage this.
@jameskleeh jameskleeh added the type: improvement A minor improvement to an existing feature label Feb 27, 2020
@jameskleeh jameskleeh added this to the 2.0.0 milestone Feb 27, 2020
@jameskleeh jameskleeh mentioned this issue Feb 27, 2020
Closed
@julKali
Copy link

julKali commented Feb 27, 2020
edited

I would suggest one of the following two options:

  • reserve a special role for refresh tokens, i.e. _REFRESH
  • add a scope object to the token and move the roles declaration into scope. Only access tokens have the roles property, refresh tokens have a property refresh set to true. See example below.

access token:

{
  "sub": "example",
  "nbf": 1580119425,
  "scope": {
    "roles": [
      "GENERAL"
    ],
  },
  "exp": 1580123025,
  "iss": "mnuserauth",
  "iat": 1580119425
}

refresh token:

{
  "sub": "example",
  "nbf": 1580119425,
  "scope": {
    "refresh": true
  },
  "iss": "mnuserauth",
  "iat": 1580119425
}

@alvarosanchez alvarosanchez mentioned this issue Feb 27, 2020
Closed
@sdelamo
Copy link
Contributor

sdelamo commented Mar 2, 2020

I've checked both Okta and Auth 0 and they don't use JWT as refresh tokens.

@jameskleeh jameskleeh self-assigned this Apr 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jameskleeh jameskleeh

Labels
type: improvement A minor improvement to an existing feature
Projects
None yet
Milestone
2.0.0
Development

No branches or pull requests
4 participants
@ilopmar @sdelamo @jameskleeh @julKali