On 23/11/12 12:43, Bob Gregory wrote:
We've had OAuth2 running successfully for a while now, but we're finding
that mobile applications have frequent problems with the refresh flow
where a refresh request is made, but the network connection fails before
the new AT/RT pair is received, leading to a "lost grant".
In server-logs we can see that the token has been refreshed, and a new
RT issued, but the client is stuck with the old invalidated RT.
This problem has been reported by two separate client applications, both
of whom are using a retry-mechanism for API requests since they expect
an unreliable network connection.
Does anybody have any guidance on this issue, or is there any work in an
extension to address the issue of lost grants for token refreshes?
I wonder if a RM support is needed at the transport/protocol level for
this to work reliably ?
The same issue would also arise when an authorization code grant which
is expected to be used only once is validated on the server and a new
access token has not made it back to the client due to a connection loss...
Sergey
--
Q. How many members of a demographic group does it take to perform a
specified task?
A. A finite number; one to perform the task, and the remainder to act in
a manner stereotypical of the group in question.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
