Contrib.social

Should using a refresh token to get a new access/refresh token expire the old refresh token?

Open on Drupal.org →
Created on 22 August 2023, over 1 year ago

Could use a little help here on best practices...

We've finally implemented oAuth for authentication for one of our services - hooray! For the end user, it's working great.

We've got an access token lifespan of 60 minutes, and a much longer refresh token expiry on the scale of months. We actually need those long refresh token lifespans. Users might go away from their system for months, while others might use the service for hours every day.

However, when the access token expires, the client uses their refresh token to request a new access token/refresh token pair. But this does not remove the old refresh token, which still has months before it expires.

With an access token lifespan of about 60 seconds, and pretty constant queries coming in from clients, this means that the token table is getting littered with old used refresh tokens, no longer held by any client. That seems messy - like printing a new key to your home but having all the old ones still work.

I see issues like 💬 [PP-1] Revoke refresh tokens Needs work - this obviously isn't a trivial problem. What's the best practice here? Should we be changing the lifespan of our tokens? Should the server work to discard a refresh token after a new one has been created? Is there some simple setting I'm missing that already does this? Is the correct solution something more like 💬 [PP-1] Revoke refresh tokens Needs work where the client is responsible for requesting that an old token be discarded?

Would appreciate a little guidance before we drown in refresh tokens. Thanks!

💬 Support request
Status

Active

Version

5.2

Component

Miscellaneous

Created by

🇨🇦Canada TrevorBradley

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @TrevorBradley
  • Comment about 1 month ago
    🇲🇾Malaysia amal.bukhari

    Hi all,

    Since the original post has started albeit for a different version, I'd just ask for help here.

    I'm using 5.2 with password grant type. I know it's not safe, but this is for testing purposes only.

    I have generated the access and refresh tokens from /oauth/token.

    Now, I want to generate a new access token, so I used the refresh token from above in /oauth/token, but with the grant_type now is refresh token, with the refresh_token being the refresh token from above. By right, I should get a new access token.

    This is achievable only once. For subsequent requests, I'm getting "Token has been revoked".

  • Comment about 1 month ago
    🇲🇾Malaysia amal.bukhari

    Found it. Requesting for a new access token also gives a new refresh token.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024