Open NicolasLiampotis opened 3 months ago
Proposed revision to to Refresh Token flow:
RT_A
) to request a new access token from OAuth Proxy A.RT_A
).RT_A
), it proceeds to the next step.RT_B
as per RFC 7009RT_B
RT_B
. This verifies if the refresh token issued by OAuth Proxy B is still valid.RT_B
), OAuth Proxy A can grant a new access token to the client.RT_B
:
RT_A
)RT_B
Revised diagram:
Description:
Enhance the current Refresh Token flow between OAuth Proxies to handle the scenario where a locally issued refresh token (
RT_A
) needs to be revoked if the corresponding remote Refresh Token (`RT_B) is found to be invalid. This change ensures better security and consistency across the OAuth proxies.Current Flow:
RT_A
) to request a new access token from OAuth Proxy A (e.g., when the client's access token expires).RT_A
) to ensure its validity.RT_A
), it proceeds to the next step.RT_A
, OAuth Proxy A responds to the client with an "Invalid Refresh Token Error".RT_A
valid): OAuth Proxy A performs introspection with OAuth Proxy B using the stored refresh tokenRT_B
. This verifies if the refresh token issued by OAuth Proxy B is still valid.RT_B
), OAuth Proxy A can grant a new access token to the client.RT_B
, OAuth Proxy A responds to the client with an "Invalid Refresh Token Error".Proposed Enhancement:
Modify the flow to revoke the locally issued refresh token (
RT_A
) if the remote refresh token (RT_B
) is found to be invalid.Revised Flow:
RT_A
) to request a new access token from OAuth Proxy A.RT_A
) to ensure its validity.RT_A
), it proceeds to the next step.RT_B
. This verifies if the refresh token issued by OAuth Proxy B is still valid.RT_B
), OAuth Proxy A can grant a new access token to the client.RT_B
, OAuth Proxy A revokes its own refresh token (RT_A
) and responds to the client with an "Invalid Refresh Token Error".