Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refresh tokens should only work once and return a new refresh token #519

Closed
ericchiang opened this issue Jul 22, 2016 · 0 comments
Closed

Comments

@ericchiang
Copy link
Contributor

Also known as "Refresh Token Rotation"

Currently a refresh token can be redeemed for an access/ID token as many times at the hold of that refresh token likes. E.g.

{
  "access_token":"2YotnFZFEjr1zCsicMWpAA",
  "token_type":"example",
  "expires_in":3600,
  "id_token": "..."
}

Instead, Dex should also return a new refresh token every time one is claimed.

{
  "access_token":"2YotnFZFEjr1zCsicMWpAA",
  "token_type":"example",
  "expires_in":3600,
  "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
  "id_token": "..."
}

This immediately invalidates the current refresh token, and the client must use the new one. The primary motivation is detecting that a refresh token has be stolen. Summed up well by rfc 6819

Refresh token rotation is intended to automatically detect and
prevent attempts to use the same refresh token in parallel from
different apps/devices. This happens if a token gets stolen from the
client and is subsequently used by both the attacker and the
legitimate client.

rsoletob added a commit to Tecsisa/dex that referenced this issue Aug 16, 2016
Update refresh token flow to revoke old refresh token and generates a new one.

Fixes dexidp#519
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant