Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve the logic of extracting refresh_token from the token endpoint response #1206

Closed
ldclakmal opened this issue Apr 5, 2021 · 1 comment · Fixed by ballerina-platform/module-ballerina-oauth2#162
Closed

Improve the logic of extracting refresh_token from the token endpoint response #1206

ldclakmal opened this issue Apr 5, 2021 · 1 comment · Fixed by ballerina-platform/module-ballerina-oauth2#162
Assignees
@ldclakmal
Labels
Area/Security Issues related to stdlib security module/oauth2 Team/PCM Protocol connector packages related issues Type/Bug Verson/SwanLakeDump All issues planned for Swan Lake GA release
Milestone
Swan Lake Beta1 RC1

Comments

@ldclakmal
Copy link
Member

Description:
The logic of extracting refresh_token from the authorization endpoind response should be improved based on the grant type. Because the refresh_token property may be or may not be there depend on that.
@ldclakmal ldclakmal self-assigned this Apr 5, 2021
@ldclakmal ldclakmal added the Team/PCM Protocol connector packages related issues label Apr 16, 2021
@ldclakmal ldclakmal changed the title Improve the logic of extracting refresh_token from the authorization endpoind response Improve the logic of extracting refresh_token from the authorization endpoint response Apr 20, 2021
@ldclakmal
Copy link
Member Author

This is a bug. The optional refresh_token property which is sent by refresh endpoint should replace the existing refresh_token property set by the user in oauth2:RefreshTokenGrantConfig record. This scenario is very rare because normally the refresh_token is a long-lasting credential.

According to the RFC Section-6, https://tools.ietf.org/html/rfc6749#section-6

The authorization server MAY issue a new refresh token, in which case
   the client MUST discard the old refresh token and replace it with the
   new refresh token.  The authorization server MAY revoke the old
   refresh token after issuing a new refresh token to the client.  If a
   new refresh token is issued, the refresh token scope MUST be
   identical to that of the refresh token included by the client in the
   request.

@ldclakmal ldclakmal added Type/Bug Verson/SwanLakeDump All issues planned for Swan Lake GA release and removed Type/Improvement labels Apr 26, 2021
@ldclakmal ldclakmal mentioned this issue Apr 26, 2021
Closed
45 tasks
@ldclakmal ldclakmal added this to the Swan Lake Beta RC1 milestone Apr 27, 2021
@ldclakmal ldclakmal mentioned this issue Apr 27, 2021
Merged
3 tasks
@ldclakmal ldclakmal changed the title Improve the logic of extracting refresh_token from the authorization endpoint response Improve the logic of extracting refresh_token from the token endpoint response Aug 13, 2021
@ldclakmal ldclakmal added the Area/Security Issues related to stdlib security label Sep 28, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ldclakmal ldclakmal

Labels
Area/Security Issues related to stdlib security module/oauth2 Team/PCM Protocol connector packages related issues Type/Bug Verson/SwanLakeDump All issues planned for Swan Lake GA release
Projects
None yet
Milestone
Swan Lake Beta1 RC1
Development

Successfully merging a pull request may close this issue.

Refactor OAuth2 client implementation with grant types ldclakmal/module-ballerina-oauth2
1 participant
@ldclakmal