-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Option to NOT revoke refresh tokens? #815
Comments
You want this PR merged in: #769. In this scenario, the previous refresh token wouldn't get revoked, until the new one is used once. |
Closing in favor of PR. Thanks for reporting. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I use access and refresh tokens to authenticate mobile apps accessing an API server. The goal is to do the login with username/password once, then only keep access and refresh tokens on the client, which can be reissued again and again. The access tokens expire after a few hours and clients use the refresh token flow to receive a new access token. Most of the time that works perfectly well.
However, since these are mobile clients they often have unreliable internet connectivity. Sometimes they submit the refresh token request, the server receives it, generates a new access/refresh token pair and sends it back to the client, which... never receives it. So the client will retry the refresh token request, but it will fail because the original refresh token has been revoked when the new one was issued. As a result, the client is completely logged out and the user has to reauthenticate by entering username / password.
According to the spec
the authorization server MAY revoke the old refresh token after issuing a new refresh token to the client
.It would be great if there was an option to not revoke refresh tokens when refreshing, e.g. like this
Any thoughts?
The text was updated successfully, but these errors were encountered: