Provide a way to disable Refresh Token Rotation

Created on 24 June 2020, over 4 years ago

Updated 3 November 2023, about 1 year ago

It would be great to have a means to disable the refresh token rotation which is optional in the spec. The oauth2-server leaves it up to the implementation to do this, see this discussion.

My reasons are similar to others facing this issue - mostly poor client network connection that leads to dropping new refresh tokens upon access_token refresh.

As a suggestion, we could add an extra setting to enable this and then use it when revoking the old token in RefreshTokenRepository.php:33

  public function revokeRefreshToken($token_id) {
    // check the setting here
    $this->revoke($token_id);
  }

What do you think?

Cheers

✨ Feature request

Status

Needs review

Version

5.2

Component

Code

Created by

🇬🇧United Kingdom kazlauskis

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

First commit to issue fork.
Comment about 1 year ago →
kksandr
@kksandr opened merge request.
Status changed to Needs review about 1 year ago11:22pm 3 November 2023
Comment about 1 year ago →
kksandr
I think it is possible to make this server option configurable.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024