Open hickford opened 1 year ago
Configuration option oauth2.INVALIDATE_REFRESH_TOKENS defaults to false. For public clients, refresh token invalidation should be the default following OAuth security best practice https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-22#name-refresh-tokens
Refresh tokens for public clients MUST be sender-constrained or use refresh token rotation
The configuration option would then apply only to confidential clients.
No response
Relevant code https://github.com/go-gitea/gitea/blob/d1e066f5d6e1ba91f45118de835c3777eee0811f/routers/web/auth/oauth.go#L149-L156
https://github.com/go-gitea/gitea/blob/d1e066f5d6e1ba91f45118de835c3777eee0811f/routers/web/auth/oauth.go#L732-L739
hickford
commented
1 year ago
Feature Description
Configuration option oauth2.INVALIDATE_REFRESH_TOKENS defaults to false. For public clients, refresh token invalidation should be the default following OAuth security best practice https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-22#name-refresh-tokens
The configuration option would then apply only to confidential clients.
Screenshots
No response