This repository was archived by the owner on Jan 20, 2024. It is now read-only.
This repository was archived by the owner on Jan 20, 2024. It is now read-only.
Refresh Tokens Can be re-used #215
Description
Example of issue:
- Call the light-oauth2 code service (GET), and use the authorization code that was sent to the redirect uri.
- Call the light-oauth2 (POST: authorization code grant type) with the authorization code. It will return an authorization token T1 and a refresh token R1.
- Call the light-oauth2 token service (POST: refresh token grant type) with refresh token R1. It will return an authorization token T2 and refresh token R2.
- Call the light-oauth2 token service again (again, the POST: refresh token grant type) with refresh token R1. It will return an authorization token T3 and refresh token R3.
Step 4 contradicts the docs, which say that The authorization server revoke the old refresh token after issuing a new refresh token to the client. From step 4 above, however, it does not appear that refresh token R1 has been revoked even after the new refresh token R2 has been issued. R1 is still able to get new authorization tokens.
So now, R1, R2, and R3 can all be used to get new authorization tokens, and the set of useable refresh tokens keeps growing indefinitely.