search

bshaffer / oauth2-server-php

A library for implementing an OAuth2 Server in php
http://bshaffer.github.io/oauth2-server-php-docs
MIT License
3.26k stars 952 forks source link

after refresh token, the old access token has not been deleted. #226

Open DrayChou opened 11 years ago

DrayChou commented 11 years ago

after refresh token, in redis storage the old access token has not been deleted.

dsquier commented 11 years ago

It doesn't do this in PDO, and I'd guess it's this way across all storage. I think this is more an implementation detail than something required by the OAuth 2.0 spec.

That said, if this was to be considered I'd prefer to see it as a configurable parameter as opposed to the default storage behavior.

bshaffer commented 11 years ago

Looking at the Refresh Token specification, there is no mention of the original access token or what to do with it.

I would like to look at other OAuth2.0 APIs (Google/Facebook/github) and see how they handle this. Is the original access token revoked once a new one is issued?

DrayChou commented 11 years ago

Standard does not mention the access token after submitting refresh token should be deleted. I modified some code, and now here in the business layer processing operations. Thank you.

JeroenMinnaert commented 10 years ago

I was also wondering what happens to old access/refresh tokens once new ones are issued. I found an interesting example in the Salesforce REST API. They allow 5 access/refresh tokens per client per user ([More info here])(http://help.salesforce.com/help/doc/en/remoteaccess_request_manage.htm). This is particularly useful for testing, where you would login on multiple instances of your application at the same time.

dsquier commented 10 years ago

Old access/refresh tokens remain. If an expired token is used the library returns an error. You could clean them up by running the following on a regular basis:

DELETE FROM oauth_access_tokens WHERE expires < now();
DELETE FROM oauth_refresh_tokens WHERE expires < now();

This is different from how authorization codes work, which are deleted when exchanged for a token but remain if they expire before use. You could do something similar to clean those up.

Personally, it would be nice to have more configuration around token behavior, such as whether or not a refresh token can be reused. It would be even cooler to configure this on a per-client basis, but I'll defer to @bshaffer on if/how that belongs in the library.