cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <>
Subject Re: OAuth 2.0 refreshAccessToken revokes refreshToken
Date Thu, 11 Dec 2014 16:25:43 GMT
On 11/12/14 15:59, Jose Escobar wrote:
> Hello to all,
> I'm using CXF to implement an OAuth2 server with password and refresh_token
> grant types.
> Everything work correct, but I found a strange behaviour
> on refreshAccessToken method of AbstractOAuthDataProvider. In this method
> the refreshToken is revoked and a new one is generated, and also a new
> access token is generated. Expected work is just to refresh the access
> token, not also the refresh token.
> I know I can override this on my implementation of
> AbstractOAuthDataProvider abstract class (I've done it), but why is that
> behavior the default one?
As far as I understand it is the best practice, to recycle the actual 
refresh token too when the opportunity arises, it has a longer life 
cycle and as such the risk of it possibly being misused is somewhat
mentions "The authorization server MAY issue a new refresh token..."

The threat model doc also talks about it:

Cheers, Sergey
> Best regards,

View raw message