reuse_access_token config should be used when refreshing a token

[PhilippeChab]

Maybe I am wrong, but I feel like reuse_access_token should apply when refreshing a token that has not expired yet.

An improper use of the refesh_token grant type could lead to the creation of an unnecessary number of access tokens and bloat the underlying database.

I believe the only change needed to make this possible would be to replace create_for here by the find_or_create_for method of the access token mixin.

[ThisIsMissEm]

I'd disagree with this, as if you are using refresh tokens with reuse_access_token, you're explicitly saying "please generate a new access token", i.e., I think what you're proposing would render refresh tokens pointless.

[PhilippeChab]

I'd disagree with this, as if you are using refresh tokens with reuse_access_token, you're explicitly saying "please generate a new access token", i.e., I think what you're proposing would render refresh tokens pointless.

Well, it is definitively not pointless, since you'll need to refresh your access token eventually nonetheless.

But I understand that if you explicitly ask to refresh your current token, it could be considered weird/a bug to return the current, unexpired token. If it is a matter of security, the "good" way to invalidate your tokens would be to revoke them however.

I don't know. Maybe it should be configurable?

[ThisIsMissEm]

I'd probably say "reuse_access_token" should maybe be considered incompatible with refresh tokens? Maybe?

Token reuse in general is a really bad idea, imo, and not having expiry on tokens that are not PATs is really not a good idea, but even PATs should probably expire & be refreshed regularly.

[PhilippeChab]

@nbulaj I am curious, what is your opinion on this?