Refresh token refreshes all the time #232
Comments
|
If we take a look into the underlying library for Passport ( public function respondToAccessTokenRequest(
ServerRequestInterface $request,
ResponseTypeInterface $responseType,
\DateInterval $accessTokenTTL
) {
// Validate request
$client = $this->validateClient($request);
$oldRefreshToken = $this->validateOldRefreshToken($request, $client->getIdentifier());
$scopes = $this->validateScopes($this->getRequestParameter('scope', $request));
// If no new scopes are requested then give the access token the original session scopes
if (count($scopes) === 0) {
$scopes = array_map(function ($scopeId) use ($client) {
$scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeId);
if ($scope instanceof ScopeEntityInterface === false) {
// @codeCoverageIgnoreStart
throw OAuthServerException::invalidScope($scopeId);
// @codeCoverageIgnoreEnd
}
return $scope;
}, $oldRefreshToken['scopes']);
} else {
// The OAuth spec says that a refreshed access token can have the original scopes or fewer so ensure
// the request doesn't include any new scopes
foreach ($scopes as $scope) {
if (in_array($scope->getIdentifier(), $oldRefreshToken['scopes']) === false) {
throw OAuthServerException::invalidScope($scope->getIdentifier());
}
}
}
// Expire old tokens
$this->accessTokenRepository->revokeAccessToken($oldRefreshToken['access_token_id']);
$this->refreshTokenRepository->revokeRefreshToken($oldRefreshToken['refresh_token_id']);
// Issue and persist new tokens
$accessToken = $this->issueAccessToken($accessTokenTTL, $client, $oldRefreshToken['user_id'], $scopes);
$refreshToken = $this->issueRefreshToken($accessToken);
// Inject tokens into response
$responseType->setAccessToken($accessToken);
$responseType->setRefreshToken($refreshToken);
return $responseType;
}So in answer to your question about never expiring refresh tokens...not possible. In answer to why it's always being refreshed...that's how the library is designed to work. Just because the token last's a long time, doesn't mean it SHOULD be usable more than once, and that seems like that's how Alex interpreted that when he built it. Basically, you aren't doing anything wrong. That's how this library (and the underlying one) operate. |
|
Ok, thanks for your answer. |
|
Sorry for bumping the thread, but facing the same issue, I found the easy solution. To simply ignore token revocations, just do this:
For my needs, I wanted to add a grace period to token revocations, in case multiple refresh token requests were sent in parallel. What I did is a bit more complicated, but still very simple:
|
|
This PR stops the revoking of refresh tokens. thephpleague/oauth2-server#1189 It is probably worth suggesting a PR to Passport to implement it |
Hi,
I'm having an issue with refresh tokens. in mu AuthServiceProvider I have the following piece of code.
setting the refreshTokensExpireIn to 1 year from now as stated in the documentation. No everytime I want to refresh my access token the refresh token is also being refreshed. looking at other applications I found out that in most of the cases the refresh token never expires.
my question: What am I doing wrong? why is my refresh token refreshed all the time. and the other question, Is it possible that the refresh token never expires?
thanks in advance
The text was updated successfully, but these errors were encountered: