-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refresh token rotation #540
refresh token rotation #540
Conversation
expectedAud []string | ||
err error | ||
token string | ||
expectedRefreshToken string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How are you coming up with these values? Can you implement a helper function to do this?
A few comments, but overall looks good. Thanks! |
4d27176
to
804abd1
Compare
Thanks for your comments. I see an user could have some refresh tokens for the same client and there is a TODO. Is it correct? I can change it here or in another PR if you think it isn't a valid feature. |
Probably best for a different PR :) |
Ok @ericchiang, revamped |
|
||
func (r *refreshTokenRepo) RenewRefreshToken(clientID, userID, oldToken string) (newRefreshToken string, err error) { | ||
// Verify | ||
userID, connectorID, scopes, err := r.verify(nil, clientID, oldToken) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is verify outside the transaction?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because if dex can't verify the token you save opening a transaction.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
okay sure
small nit but other than that tested locally and lgtm |
Update refresh token flow to revoke old refresh token and generates a new one. Fixes dexidp#519
804abd1
to
c91b37a
Compare
lgtm! |
Added refresh token rotation.
Fixes #519