search

indieweb / indieauth

IndieAuth.net website code and IndieAuth Specification
52 stars 7 forks source link

Refresh Tokens #90

Closed dshanske closed 2 years ago

dshanske commented 2 years ago

Tried to add in refresh tokens and expiration.

omz13 commented 2 years ago

I'm not sure if this is mentioned elsewhere, in the section 'Refreshing an Access Token' perhaps mention that a refresh can be requested anytime at the discretion of the client; i.e. it does have to wait for an access code to expire before using its refresh token to request a new one.

dshanske commented 2 years ago

Good idea...I was trying to summarize the refresh flow and need to cite other sources for guidance. But that one I think should be included

dshanske commented 2 years ago

Re the CHANGES section, that would be after we merge these, we'd add it.

reiterate-app commented 2 years ago

My comments on https://github.com/indieweb/indieauth/pull/94#r706650664 also apply here. The grant_type parameter by itself is insufficient for an endpoint to determine what action to take in response to a POST request at the token endpoint.

dshanske commented 2 years ago

@jamietanna In your implementation, you send client_id, which isn't in my PR.

dshanske commented 2 years ago

Noting my description doesn't talk about client authentication, which is used in Oauth2's refresh, and needs discussion.

jamietanna commented 2 years ago

Hmm, yes client_id is only required if client authentication is required, which we won't be doing for public (IndieAuth) clients.

I'll check if my server supports not sending it but agreed that can be optional 👍🏽

dshanske commented 2 years ago

Hmm, yes client_id is only required if client authentication is required, which we won't be doing for public (IndieAuth) clients.

I'll check if my server supports not sending it but agreed that can be optional 👍🏽

I was thinking about this. It can be used to check to see if the client matches the original, but if you have a compromised refresh token, you probably have the client ID it came from.

aaronpk commented 2 years ago

The client_id parameter is required to be sent to the token endpoint if there is no client authentication. This is true both in OAuth 2.0 and 2.1:

The motivation for sending it in 2.0 is out of date, but it is still required and still can benefit the authorization server, such as being able to search a smaller index by first adding the client_id to the DB lookup. But you are correct that it doesn't add any additional security protection of the refresh token.

dshanske commented 2 years ago

@aaronpk @jamietanna I think I updated everything requested.

dshanske commented 2 years ago

Check to see if PR explicitly says that profile information is to be returned in flow.