[OAUTH2-227] Refresh Token Recycling - Liferay Issues

Details

Type: Story
Status: Closed
Priority: Minor
Resolution: Completed
Affects Version/s: Master
Fix Version/s: Master, 1.1-marketplace_7.1.0
Component/s: None
Labels:
- planned_for_7.2
- security-nov18

Epic/Theme:
- OAuth-2
Sprint:
AS | Iteration 3, AS | Iteration 4, AS | Iteration 5
Git Pull Request:
https://github.com/brianchandotcom/liferay-portal/pull/64010

Description

During Refresh Token Grant Type it is possible to generate a new pair of access and refresh tokens.

While issuing a new pair is a safer option (prevents reply attack) RFC 6749 OAuth2 Framework doesn't require server to issue new refresh token and some implementations may require on recycling the refresh token for repeated use:

The authorization server MAY issue a new refresh token, in which case
 the client MUST discard the old refresh token and replace it with the
 new refresh token. The authorization server MAY revoke the old
 refresh token after issuing a new refresh token to the client.

The goal of this story is to support refresh token recycling.

Attachments

Activity

People

Assignee:

Joshua Chong

Reporter:

Tomas Polesovsky (topolik)

Participants of an Issue:

Joshua Chong, Tomas Polesovsky (topolik)

Votes:

0 Vote for this issue

Watchers:

0 Start watching this issue

Dates

Created:

10/Oct/18 1:19 PM

Updated:

13/Dec/18 12:20 PM

Resolved:

29/Oct/18 12:56 PM

Packages

Version	Package
Master
1.1-marketplace_7.1.0