Closed janhopman-nhb closed 3 years ago
Sephster
commented
3 years ago Thanks @janhopman-nhb - is there a way to implement this that won't break BC? If not, I think we will leave this PR for now. I also want to change refresh tokens so they don't have an expiration as this isn't part of the spec so would like to roll that into one as part of a major release. Thanks
janhopman-nhb
commented
3 years ago Hi @Sephster, Thank you for your reply! We will have a look if we can implement without breaking BC.
janhopman-nhb
commented
3 years ago Hi @Sephster, is it possible to approve running the workflows by any chance?
Sephster
commented
3 years ago Done, thanks!
janhopman-nhb
commented
3 years ago @Sephster Really sorry for bothering you... 😅 Just fixed the bc issue i think, but the workflows need to be triggerd again to confirm...
Sephster
commented
3 years ago LGTM - thank you for your work on this @janhopman-nhb
Hi, Recently we (my colleagues and i) came across a specific use case in our software which uses oauth2-server where we needed to prevent refresh tokens to be revoked after requesting a new access token. We looked at the ouath rfc and read that this behaviour is allowed according to the spec. I've gone ahead and implemented the change in this pull request. See below for references to the specific information on refresh tokens in the rfc.
According to section 1.5, issuing a new refresh token is optional (see step H). Also according to section 4.1 which describes the authorization code grant type, the refresh token is optional (see step E). Finally according to section 6 (Refreshing an Access token), in the last paragraph it states that the server MAY issue a new refresh token. And also states that the server MAY revoke the old refresh token.
Hoping someone can take a look at this, any suggestions and/or feedback, would be much appreciated!