There is no way to refresh an access token without revoking the previous access token #1730
Comments
|
@ransombriggs did you develop a workaround for this? I am also trying to enable an access token to be refreshed without revoking the previous access token |
|
@jessieay Not exactly, we have a custom revocation process which excludes this case and allows for access tokens to remain functional after being refreshed, even though if you introspect them we will report that they are not. A real fix for this would require a database change to |
|
Technically it would probably require two columns, one for the revocation and one to toggle on before / after upgrade behavior to avoid a back fill of data from before the change since we do not know if the access or refresh token was revoked before the upgrade and would want to preserve current behavior until they are cleaned up. |
Steps to reproduce
Right now there appears to be two possible behaviors when a refresh token is refreshed.
previous_refresh_tokencolumn exists then the refresh token / access token are both revoked when theTokenInfoController::showaction is requested for the first time.Desired behavior
I was wondering why we revoke both the refresh and access token at the same time when revoked immediately. I would have expected that the refresh token would be revoked, but that the old access token would remain valid until it expired. I had assumed I missed something in the RFC about this but could not find anything. I would try and hack this in, but since refresh tokens and access tokens use the same model + column for revocation it was not straight forward.
The text was updated successfully, but these errors were encountered: