Revoke previous refresh token after issuing a new one

[proyupgrade]

Expected Behavior
Refresh token used on the refresh_token grant type flow should be invalidated after the new one has been issued.

Current Behavior
Previously used refresh token can still be used even though the server generates a new one.

Context
According to the specification (https://www.rfc-editor.org/rfc/rfc6749#section-5.2):

The authorization server MAY revoke the old
refresh token after issuing a new refresh token to the client.

At the moment, it is only possible to change the server's configuration to make it issue a new refresh token on each request instead of reusing the same one over again. We're looking for a similar approach that aims to revoke the previous token at the same time to provide better security.

[jcranfordupgrade]

I found this in RFC 7009 OAuth 2.0 Token Revocation.

1. Revoke refresh_token SHOULD revoke related access_token(s).
2. Revoke access_token MAY revoke related refresh_token(s).

For OIDC ID token, I think we can infer similar.

https://www.rfc-editor.org/rfc/rfc7009#section-2.1

   Depending on the authorization server's revocation policy, the
   revocation of a particular token may cause the revocation of related
   tokens and the underlying authorization grant.  If the particular
   token is a refresh token and the authorization server supports the
   revocation of access tokens, then the authorization server SHOULD
   also invalidate all access tokens based on the same authorization
   grant (see Implementation Note).  If the token passed to the request
   is an access token, the server MAY revoke the respective refresh
   token as well.

[jgrandja]

@proyupgrade

Previously used refresh token can still be used even though the server generates a new one.

This is not correct. If the AS generates a new refresh token then the previous one cannot be reused. Add the test below to OAuth2RefreshTokenGrantTests as it demonstrates that the old refresh token cannot be used.

@Test
public void requestWhenGenerateNewRefreshTokenOnRefreshThenOldOneCannotBeUsed() throws Exception {
	this.spring.register(AuthorizationServerConfiguration.class).autowire();

	TokenSettings tokenSettings = TokenSettings.builder().reuseRefreshTokens(false).build();
	RegisteredClient registeredClient = TestRegisteredClients.registeredClient()
			.tokenSettings(tokenSettings)
			.build();
	this.registeredClientRepository.save(registeredClient);

	OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient).build();
	this.authorizationService.save(authorization);

	OAuth2RefreshToken originalRefreshToken = authorization.getRefreshToken().getToken();

	MultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
	parameters.set(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.REFRESH_TOKEN.getValue());
	parameters.set(OAuth2ParameterNames.REFRESH_TOKEN, originalRefreshToken.getTokenValue());

	this.mvc.perform(post(DEFAULT_TOKEN_ENDPOINT_URI)
					.params(parameters)
					.header(HttpHeaders.AUTHORIZATION, "Basic " + encodeBasicAuth(
							registeredClient.getClientId(), registeredClient.getClientSecret())))
			.andExpect(status().isOk());

	OAuth2Authorization updatedAuthorization = this.authorizationService.findById(authorization.getId());

	// Assert new refresh token was generated
	assertThat(updatedAuthorization.getRefreshToken().getToken().getTokenValue()).isNotEqualTo(originalRefreshToken.getTokenValue());

	// Attempt again using the original refresh token
	this.mvc.perform(post(DEFAULT_TOKEN_ENDPOINT_URI)
					.params(parameters)
					.header(HttpHeaders.AUTHORIZATION, "Basic " + encodeBasicAuth(
							registeredClient.getClientId(), registeredClient.getClientSecret())))
			.andExpect(status().isBadRequest());		// Old refresh token cannot be used
}

[proyupgrade]

Apologies, it works indeed. There was an issue on how we handle our persistence; which made the refresh token always reusable.