Why?


"William J. Mills" <[email protected]> schrieb:

I agree that this is something you could do, but it doesn't seem like a good 
design pattern.


_____________________________________________
From: Torsten Lodderstedt <[email protected]>
To: Eran Hammer-Lahav <[email protected]>; OAuth WG <[email protected]>
Sent: Sunday, July 10, 2011 1:21 AM
Subject: Re: [OAUTH-WG] Refresh token security considerations

replacement of the refresh token with every access token refresh is an example. 
The authz server creates and returns a new refresh token value with every 
access token refreshment. The old value is invalidated and must not be used any 
further. Note: The authz server keeps track of all old (invalidated) refresh 
tokens.

If a client presents one of those old refresh tokens, the legitimate client has 
been compromised most likely. The authz then revokes the refresh token and the 
associated access authorization.

regards,
Torsten.



Eran Hammer-Lahav <[email protected]> schrieb:

“the authorization server SHOULD deploy other means to detect refresh token 
abuse”

 

This requires an example. 

 

 

EHL


_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to