Closed yuriyz closed 2 months ago
Is there a config param that controls whether refresh token rotation is optinal?
There is skipRefreshTokenDuringRefreshing
boolean which indicates whether on rotation create new refresh_token or not.
If value is false
then AS will create new refresh_token on refreshing. Lifetime of new refresh_token is set depending on refreshTokenExtendLifetimeOnRotation
configuration property.
true
- new refresh_token gets full lifetime set via refreshTokenLifetime
false
lifetime is calculated by AS end is set to the lifetime of previous refresh_token (means it will end at the time when previous RT would expire)Issue is fixed in master (4.5.6-SNAPSHOT). Backported to version_4.5.5
and version_4.5.2.sp1
.
Artifacts are re-built.
Describe the issue
refresh_token can be used only one time. However if send concurrent calls AS allows re-using it multiple times.
Expected Behaviour: The refresh token cannot be reused
Actual behavior: During the concurrent call we have observed that we are able to reuse the same refresh token multiple times.
Refresh token should only be used once.
Support: 11874