-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refresh Token Grant - scope limitation and additional access tokens #25
Comments
The reason I created this library in the first place is because so many people have been implementing OAuth incorrectly and inconsistently and I think this is one example where perhaps deviating from the spec slightly is the best course of action |
The problem is, that point 1 depends on point 2 - you have a set of allowed scopes and can reduce them, but after that you won't have the chance to create a new access token with the original scopes. You need to keep it saved or the client will only have two options - always use full rights (insecure) or ask the user again for his credentials (bad idea). I tried to understand point 2 and checked the Google implementation. They do it as expected: It's possible to create multiple access tokens using the refresh token (they say that the number of tokens is limited, which is a good idea). You only get a refresh token with the main access token request and this can theoretically stay in the database forever (independent of the expiration time). I don't think it's too difficult:
BUT I would propose a general correction of the table structure to avoid the mentioned problem and to make it a bit clearer, easier to implement/customize and optimize the performance:
I can work on that and provide optimized scripts for the database - MySQL, SqlServer, Oracle, and perhaps Postgres (learning at the moment) - and a Session class for your server example. Attached an optimized structure, as I would propose it. I'm not sure about the roles of the fields "stage", "first_requested" and "last_updated". Are they really required? If so, only for specific scopes? [Old structure replaced by new one, see next comment] |
I optimized the structure again and created a test implementation. The Refresh Token Grant now works as expected and theoretically it's not necessary to change the scripts - I only had to rename some parameters (because the session id is now the session token id in some cases) and this renaming should be done also in the grant scripts. I'm still not sure about the role of the "stage" field. Currently it seems to be really used with the Auth Code Grant only... |
Can you run me off a MySQL dump of this new structure please |
I just sent you the DB structure and a Session Storage example via mail. |
I just found another problem with the current implementation: RFC, section 1.5:
RFC, section 6:
I modified the Session Storage script (sent to you via mail) to handle the creation of new refresh tokens in accordance with the RFC, but the flow of Refresh Token Grant class also needs to be modified. The Refresh Token Grant must differ between two cases - issue a new refresh token when a new access token is created, or not. This defines the further steps in the flow and the possibilities on the client side. Therefore it must be possible to define the preferred behavior for this Grant: RefreshToken::useRefreshTokenRotation(true|false) If TRUE:
If FALSE:
|
I updated the DB structure and the Session Storage class once again, due to the following points... Security problems:
Other problems:
My changes in the Session Storage class: createSession
updateSession
validateAuthCode
deleteSession
I sent you the updated files via mail... |
I've implemented all of this in v2.0 and significantly simplified the usage |
Following the RFC, the implementation of the Refresh Token Grant isn't correct:
"Refresh tokens are issued [...] to obtain additional access tokens with identical or narrower scope." http://tools.ietf.org/html/rfc6749#section-1.5
So it should be possible to change (limit) the scope of the existing session. At the moment the scope parameter is not used in the Refresh Token Grant. For example this is required for security reasons when you use multiple resource servers and don't want to use the same scope on each server.
The current implementation doesn't create an "additional" access token, but replaces the existing one. I checked the oauth mailing list (http://list-archives.org/2012/10/31/oauth-ietf-org/oauth-wg-access-tokens-refresh-tokens-of-different-scopes/f/4229413633) and "additional" really means additional here, so you should be able to have multiple valid access tokens at the same time. But I'm not sure when to invalidate them - when creating an access token using another grant type?
The text was updated successfully, but these errors were encountered: