On Fri, Nov 23, 2012 at 4:43 AM, Bob Gregory <[email protected]> wrote:
> We've had OAuth2 running successfully for a while now, but we're finding > that mobile applications have frequent problems with the refresh flow where > a refresh request is made, but the network connection fails before the new > AT/RT pair is received, leading to a "lost grant". > > In server-logs we can see that the token has been refreshed, and a new RT > issued, but the client is stuck with the old invalidated RT. > > This problem has been reported by two separate client applications, both > of whom are using a retry-mechanism for API requests since they expect an > unreliable network connection. > > Does anybody have any guidance on this issue, or is there any work in an > extension to address the issue of lost grants for token refreshes? > Have you considered not revoking the old RT until the new RT has been successfully used? You might also need to consider what happens with requests that are in-flight at the time the old RT is revoked. For example: 1) client starts token exchange, hangs for some reason. 2) client starts token exchange, succeeds, receives new refresh token 3) client uses new refresh token 4) request 1 completes That could all happen in the space of a second or two. So you might want to think about not revoking the old token until you see the new refresh token used and a bit of time has passed. Cheers, Brian
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
