Enhance Refresh Token Flow between OAuth Proxies to Revoke Locally Issued Refresh Token upon Remote Refresh Token Invalidity

[NicolasLiampotis]

Description:

Enhance the current Refresh Token flow between OAuth Proxies to handle the scenario where a locally issued refresh token (RT_A) needs to be revoked if the corresponding remote Refresh Token (`RT_B) is found to be invalid. This change ensures better security and consistency across the OAuth proxies.

Current Flow:

1. Client Requests New Access Token: The client uses the stored refresh token (RT_A) to request a new access token from OAuth Proxy A (e.g., when the client's access token expires).
2. OAuth Proxy A Introspection (Internal): The Infrastructure Proxy performs introspection on its own refresh token (RT_A) to ensure its validity.
3. Conditional Branch Based on Introspection:
   • Valid RT_A: If the Infrastructure Proxy's introspection confirms the validity of its own refresh token (RT_A), it proceeds to the next step.
   • Invalid RT_A: If the introspection reveals an invalid RT_A, OAuth Proxy A responds to the client with an "Invalid Refresh Token Error".
4. OAuth Proxy B Introspection (if RT_A valid): OAuth Proxy A performs introspection with OAuth Proxy B using the stored refresh token RT_B. This verifies if the refresh token issued by OAuth Proxy B is still valid.
5. Conditional Branch Based on OAuth Proxy B Introspection:
   • Valid RT_B: If OAuth Proxy B confirms the validity of the refresh token (RT_B), OAuth Proxy A can grant a new access token to the client.
   • Invalid RT_B: If OAuth Proxy B introspection reveals an invalid RT_B, OAuth Proxy A responds to the client with an "Invalid Refresh Token Error".

Proposed Enhancement:

Modify the flow to revoke the locally issued refresh token (RT_A) if the remote refresh token (RT_B) is found to be invalid.

Revised Flow:

1. Client Requests New Access Token: The client uses the stored refresh token (RT_A) to request a new access token from OAuth Proxy A.
2. OAuth Proxy A Introspection (Internal): The Infrastructure Proxy performs introspection on its own refresh token (RT_A) to ensure its validity.
3. Conditional Branch Based on Introspection:
   • Valid RT_A: If the Infrastructure Proxy's introspection confirms the validity of its own refresh token (RT_A), it proceeds to the next step.
   • Invalid RT_A: If the introspection reveals an invalid RT_A, OAuth Proxy A responds to the client with an "Invalid Refresh Token Error".
4. OAuth Proxy B Introspection (if RT_A valid): OAuth Proxy A performs introspection with OAuth Proxy B using the stored refresh token RT_B. This verifies if the refresh token issued by OAuth Proxy B is still valid.
5. Conditional Branch Based on OAuth Proxy B Introspection:
   • Valid RT_B: If OAuth Proxy B confirms the validity of the refresh token (RT_B), OAuth Proxy A can grant a new access token to the client.
   • Invalid RT_B: If OAuth Proxy B introspection reveals an invalid RT_B, OAuth Proxy A revokes its own refresh token (RT_A) and responds to the client with an "Invalid Refresh Token Error".

[NicolasLiampotis]

Proposed revision to to Refresh Token flow:

1. Client Requests New Access Token: The client uses the stored refresh token (RT_A) to request a new access token from OAuth Proxy A.
2. OAuth Proxy A Introspection (Internal): OAuth Proxy A checks the validity of its own refresh token (RT_A).
3. Conditional Branch Based on Introspection:
   • Valid RT_A: If OAuth Proxy A confirms the validity of its own refresh token (RT_A), it proceeds to the next step.
   • Invalid RT_A: If local verification reveals an invalid RT_A:
     • OAuth Proxy A SHOULD revoke refresh token RT_B as per RFC 7009
     • OAuth Proxy A removes stored refresh token RT_B
     • OAuth Proxy A responds to the client with an "Invalid Refresh Token Error".
4. OAuth Proxy B Introspection (if RT_A valid): OAuth Proxy A performs introspection with OAuth Proxy B using the stored refresh token RT_B. This verifies if the refresh token issued by OAuth Proxy B is still valid.
5. Conditional Branch Based on OAuth Proxy B Introspection:
   • Valid RT_B: If OAuth Proxy B confirms the validity of the refresh token (RT_B), OAuth Proxy A can grant a new access token to the client.
   • Invalid RT_B: If OAuth Proxy B introspection reveals an invalid RT_B:
     • OAuth Proxy A SHOULD revoke its own refresh token (RT_A)
     • OAuth Proxy A removes stored refresh token RT_B
     • OAuth Proxy A responds to the client with an "Invalid Refresh Token Error".

Revised diagram:

[NicolasLiampotis]

• Revocation of own RT_A when RT_B is invalid should become a MUST
• Revocation of RT_B when RT_A is invalid depends on whether there are additional RT_As association to the same RT_B. If the invalid RT_A is the last RT associated to RT_B then OAuth Proxy A SHOULD revoke RT_B