FriendsOfSymfony / oauth2-php

A server implementation of OAuth 2.0
MIT License
515 stars 112 forks source link

Only one active accessToken #108

Open cored0wn opened 6 years ago

cored0wn commented 6 years ago

Scenario

The client request with a valid authCode an accessToken.

Expected behavior

The server checks if already a valid, not expired accessToken exists. If yes, this token would be sent. Otherwise a new token would be generated and send.

Actual behavior

The server generates everytime a new accessToken. So I have multiple valid tokens for the same client.

https://github.com/FriendsOfSymfony/oauth2-php/blob/a41fef63f81ef2ef632350a6c7dc66d15baa9240/lib/OAuth2.php#L861

dkarlovi commented 6 years ago

This is an issue because it defeats the purpose of rate limits which now must be made against user/client combo, making it harder to do with prebuilt solutions.