Sounds great, good for you.
And yes, I'd certainly agree. A never-expiring RT or any token/ticket for that
matter is generally a very bad idea.
--Misagh
> From: "Anders Olsen" <anders.ol...@dof.dk>
> To: "CAS Community" <cas-user@apereo.org>
> Cc: "Misagh Moayyed" <mmoay...@unicon.net>
> Sent: Thursday, February 1, 2018 7:40:42 AM
> Subject: Re: [cas-user] [OAuth2] Generate new refresh token when using a
> previous refresh-token
> Thank you for your answer.
> I have a bit of a concern about making the refresh tokens never expiring,
> since
> that would increase the possibility of intercepting the refresh token.
> I'll have a poke at the code and see if I can possible make a new flag in the
> properties that users can set, and then make a pull request.
> Regards
> Anders Olsen
> Den torsdag den 1. februar 2018 kl. 14.48.02 UTC+1 skrev Misagh Moayyed:
>> There isn't, but you can design an expiration policy for the relevant tokens
>> so
>> they don't ever expire.
>> --Misagh
>>> From: "Anders Olsen" < anders...@dof.dk >
>>> To: cas-...@apereo.org
>>> Sent: Thursday, February 1, 2018 4:06:54 AM
>>> Subject: [cas-user] [OAuth2] Generate new refresh token when using a
>>> previous
>>> refresh-token
>>> Hi everyone!
>>> I am currently working on setting up CAS as the new SSO solution for our
>>> website.
>>> In addition to a traditional website, we also have native apps for Android
>>> and
>>> (soon) iOS that uses OAuth2 to authenticate as they need to have offline
>>> capability and thus cannot use a regular session.
>>> I have got most of the OAuth2 functionality to work, using this service
>>> definition:
>>> {
>>> "@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService" ,
>>> "clientId" : "XXX" ,
>>> "clientSecret" : "XXXXX" ,
>>> "generateRefreshToken" : true ,
>>> "jsonFormat" : true ,
>>> "supported_grants" : [ "password" , "refresh_token" ] ,
>>> "name" : "OAuth2 (Android)" ,
>>> "id" : 201801311512
>>> }
>>> (Client ID and Secret has been obfuscated..)
>>> This also works fine to gain access tokens:
>>> Using password:
>>> {
>>> "access_token": "AT-1-82jDv1D3pkvex5C1UYjKreBdhhw5omzc",
>>> "token_type": "bearer",
>>> "expires_in": 28800,
>>> "refresh_token": "RT-1-so451CeJyePgl2RmXnefODw0nV9jTAgX"
>>> }
>>> Using refresh token:
>>> {
>>> "access_token": "AT-2-7a6-eLsKlX9-jyYynqFjTqsneLE8WnlN",
>>> "token_type": "bearer",
>>> "expires_in": 28800
>>> }
>>> However, this means that when the refresh token expires, the user is totally
>>> shut out of CAS and has to re-login with his credentials.
>>> I would like for the user to never have to login again after logging in the
>>> first time.
>>> Our previous OAuth2 server is based on
>>> http://bshaffer.github.io/oauth2-server-php-docs/ and one of the settings
>>> there, under
>>> http://bshaffer.github.io/oauth2-server-php-docs/grant-types/refresh-token/
>>> is
>>> a flag “always_issue_new_refresh_token” which is default false but can be
>>> set
>>> to true to give the user a new refresh token whenever the previous refresh
>>> token is used for creating a new access token.
>>> Is there a setting or configuration in CAS that will enable the same
>>> behavior ?
>>> Thank you for your time.
>>> Regards,
>>> Anders Olsen
>>> Softwareudvikler
>>> Software Developer
>>> Tel +45 3328 3800
>>> DOF / Birdlife Denmark | Vesterbrogade 140 | 1620 København V | www.dof.dk
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google Groups
>>> "CAS
>>> Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email
>>> to cas-user+u...@apereo.org .
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/3B91F9D1-39B8-4549-9AE7-5C4A4E946AF2%40dof.dk
>>> .
> This email has been scanned for spam and viruses by Proofpoint Essentials.
> Click
> here to report this email as spam.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/732350179.13665698.1517496482427.JavaMail.zimbra%40unicon.net.
