cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: OAuth 2.0 refreshAccessToken revokes refreshToken
Date Thu, 11 Dec 2014 16:25:43 GMT
Hi
On 11/12/14 15:59, Jose Escobar wrote:
> Hello to all,
>
> I'm using CXF to implement an OAuth2 server with password and refresh_token
> grant types.
>
> Everything work correct, but I found a strange behaviour
> on refreshAccessToken method of AbstractOAuthDataProvider. In this method
> the refreshToken is revoked and a new one is generated, and also a new
> access token is generated. Expected work is just to refresh the access
> token, not also the refresh token.
>
> I know I can override this on my implementation of
> AbstractOAuthDataProvider abstract class (I've done it), but why is that
> behavior the default one?
As far as I understand it is the best practice, to recycle the actual 
refresh token too when the opportunity arises, it has a longer life 
cycle and as such the risk of it possibly being misused is somewhat
higher.

https://tools.ietf.org/html/rfc6749#section-6
mentions "The authorization server MAY issue a new refresh token..."

The threat model doc also talks about it:

https://tools.ietf.org/html/rfc6819#section-5.2.2.3

Cheers, Sergey
>
> Best regards,
>



Mime
View raw message