Why would you re-issue a refresh token every usage? What's the use case where
this makes sense?
The way I always think about the design is that refresh tokens are indended to
be multi-use.
________________________________
From: Torsten Lodderstedt <[email protected]>
To: William J. Mills <[email protected]>; Eran Hammer-Lahav
<[email protected]>; OAuth WG <[email protected]>
Sent: Tuesday, July 12, 2011 12:53 AM
Subject: Re: [OAUTH-WG] Refresh token security considerations
Why?
"William J. Mills" <[email protected]> schrieb:
I agree that this is something you could do, but it doesn't seem like a good
design pattern.
>
>
>
>
>________________________________
>From: Torsten Lodderstedt <[email protected]>
>To: Eran Hammer-Lahav <[email protected]>; OAuth WG <[email protected]>
>Sent: Sunday, July 10, 2011 1:21 AM
>Subject: Re: [OAUTH-WG] Refresh token security considerations
>
>replacement of the refresh token with every access token refresh is an
>example. The authz server creates and returns a new refresh token value with
>every access token refreshment. The old value is invalidated and must not be
>used any further. Note: The authz server keeps track of all old (invalidated)
>refresh tokens.
>
>If a client presents one of those old refresh tokens, the legitimate client
>has been compromised most likely. The authz then revokes the refresh token and
>the associated access authorization.
>
>regards,
>Torsten.
>
>
>
>
>Eran Hammer-Lahav <[email protected]> schrieb:
>“the authorization server SHOULD deploy other means to detect refresh token
>abuse”
>>
>>This requires an example.
>>
>>
>>EHL
>_______________________________________________
>OAuth mailing list
>[email protected]
>https://www.ietf.org/mailman/listinfo/oauth
>
>
>
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth