-
Type:
Story
-
Status: Closed
-
Priority:
Minor
-
Resolution: Completed
-
Affects Version/s: Master
-
Fix Version/s: Master, 1.1-marketplace_7.1.0
-
Component/s: None
-
Labels:
-
Epic/Theme:
-
Sprint:AS | Iteration 3, AS | Iteration 4, AS | Iteration 5
-
Git Pull Request:
During Refresh Token Grant Type it is possible to generate a new pair of access and refresh tokens.
While issuing a new pair is a safer option (prevents reply attack) RFC 6749 OAuth2 Framework doesn't require server to issue new refresh token and some implementations may require on recycling the refresh token for repeated use:
The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token. The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client.
The goal of this story is to support refresh token recycling.