fix(oxauth): check race condition during refresh token removal

GluuFederation / oxAuth

OAuth 2.0 server and client; OpenID Connect Provider (OP) & UMA Authorization Server (AS)

https://gluu.org/docs/ce

MIT License

423 stars 150 forks source link

fix(oxauth): check race condition during refresh token removal #1909

Closed yuriyz closed 2 months ago

yuriyz commented 3 months ago

Describe the issue

refresh_token can be used only one time. However if send concurrent calls AS allows re-using it multiple times.

Expected Behaviour: The refresh token cannot be reused

Actual behavior: During the concurrent call we have observed that we are able to reuse the same refresh token multiple times.

Refresh token should only be used once.

Support: 11874

nynymike commented 3 months ago

Is there a config param that controls whether refresh token rotation is optinal?

yuriyz commented 3 months ago

There is skipRefreshTokenDuringRefreshing boolean which indicates whether on rotation create new refresh_token or not. If value is false then AS will create new refresh_token on refreshing. Lifetime of new refresh_token is set depending on refreshTokenExtendLifetimeOnRotation configuration property.

if true - new refresh_token gets full lifetime set via refreshTokenLifetime
if false lifetime is calculated by AS end is set to the lifetime of previous refresh_token (means it will end at the time when previous RT would expire)

yuriyz commented 2 months ago

Issue is fixed in master (4.5.6-SNAPSHOT). Backported to version_4.5.5 and version_4.5.2.sp1.

Artifacts are re-built.