search

tableau / connector-plugin-sdk

SDK for Developing Tableau Connector Plugins
https://tableau.github.io/connector-plugin-sdk/
MIT License
108 stars 107 forks source link

[Feature Request] Single Use Refresh Token/Refresh Token Writeback #1148

Open xsgao-github opened 1 year ago

xsgao-github commented 1 year ago

Describe the bug Relative issue: #1147

We added external/custom OAuth config support based on the doc tableau.github.io/connector-plugin-sdk/docs/oauth. It works in Tableau Desktop but not in Tableau Prep.

The problem is Tableau Prep uses an expired refresh token to call IDP (in this case, Galaxy). Please refer to attached file here:

token_requests.txt

Screenshots

image

Desktop (please complete the following information):

About you: Name: Song Gao Company: Starburst Data

lukewrites commented 1 year ago

Internal tracking: W-13691799

jkoskela commented 1 year ago

We don't currently support single-use refresh tokens. We expect that tokens are long lived and can be used to refresh multiple access tokens until they expire. But I don't see that documented anywhere, so I will get that fixed.

xsgao-github commented 1 year ago

https://www.rfc-editor.org/rfc/rfc6749#section-10.4 suggests rotating refresh tokens and defending old refresh token reuse.

MS implementation Securely delete the old refresh token after acquiring a new one

Okta As soon as the new tokens are issued, Okta invalidates the refresh token that was passed with the initial request to the /token endpoint

How would I get a notification when this fix is deployed to the Tableau server/online/prep? @jkoskela

jkoskela commented 1 year ago

Okay I will reopen so it can be tracked, but this isn't prioritized.

According to the RFC "Authorization servers MAY issue refresh tokens to web application clients and native application clients." They only mentioned SHOULD where client authentication is not possible. This does not apply in this case, since we use client authentication.

In the case of Microsoft "The Microsoft identity platform doesn't revoke old refresh tokens when used to fetch new access tokens."

In the case of Okta single use refresh tokens are only the default for SPA, which we are not. We use Okta for federation for other connectors, and don't have an issue with this.

We are aware that some IDP scenarios use single-use refresh token. We have run into this issue with other connectors already. We want to get to it but like I said before, it's not prioritized.