Skip to content

Revoke previous refresh token after issuing a new one #1128

Closed
@proyupgrade

Description

@proyupgrade

Expected Behavior
Refresh token used on the refresh_token grant type flow should be invalidated after the new one has been issued.

Current Behavior
Previously used refresh token can still be used even though the server generates a new one.

Context
According to the specification (https://www.rfc-editor.org/rfc/rfc6749#section-5.2):

The authorization server MAY revoke the old
refresh token after issuing a new refresh token to the client.

At the moment, it is only possible to change the server's configuration to make it issue a new refresh token on each request instead of reusing the same one over again. We're looking for a similar approach that aims to revoke the previous token at the same time to provide better security.

Metadata

Metadata

Assignees

Labels

status: invalidAn issue that we don't feel is valid

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions