Uploaded image for project: 'PUBLIC - OAuth2'
  1. PUBLIC - OAuth2
  2. OAUTH2-227

Refresh Token Recycling

    Details

      Description

      During Refresh Token Grant Type it is possible to generate a new pair of access and refresh tokens.

      While issuing a new pair is a safer option (prevents reply attack) RFC 6749 OAuth2 Framework doesn't require server to issue new refresh token and some implementations may require on recycling the refresh token for repeated use:

      The authorization server MAY issue a new refresh token, in which case
       the client MUST discard the old refresh token and replace it with the
       new refresh token. The authorization server MAY revoke the old
       refresh token after issuing a new refresh token to the client. 

       

      The goal of this story is to support refresh token recycling.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Packages

                Version Package
                Master
                1.1-marketplace_7.1.0