<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi Raghu,<br>
<br>
From the specs, it looks to me that this is not anything
mandatory. The paragraph is starting "For example". Feel free to
create JIRA, but I personally can't promise anything regarding
this...<br>
<br>
Marek<br>
<br>
<br>
On 06/10/15 17:37, Raghu Prabhala wrote:<br>
</div>
<blockquote
cite="mid:20768180-BBB8-45B4-BFE6-7C376F642CFA@yahoo.com"
type="cite">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<div>Hi Marek - section 10.4 of rfc6749 mentions that the prior
refresh token should be invalidated but retained by the server -
to handle compromise of refresh tokens as they are long lived. </div>
<div id="AppleMailSignature"><br>
</div>
<div id="AppleMailSignature">Thanks,</div>
<div id="AppleMailSignature">Raghu<br>
<br>
Sent from my iPhone</div>
<div><br>
On Oct 6, 2015, at 10:53 AM, Marek Posolda <<a
moz-do-not-send="true" href="mailto:mposolda@redhat.com"><a class="moz-txt-link-abbreviated" href="mailto:mposolda@redhat.com">mposolda@redhat.com</a></a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
<div class="moz-cite-prefix">You're right, same refresh token
can be used more times. However it is still better to use
refresh token R2 in your step 3 instead of using old refresh
token R1 because R2 has updated timestamp (each token is
valid just for 30 minutes or so, depends on the configured
SSO session idle timeout).<br>
<br>
Or are you referring that this is security issue and
potential possibility to Man in the middle? If you use HTTPS
(which is recommended for production environment, and
especially if you have unsecured/untrusted networkl), this
shouldn't be an issue.<br>
<br>
Marek<br>
<br>
On 06/10/15 16:34, Kuznetsov, Mike wrote:<br>
</div>
<blockquote
cite="mid:66122567ABACCC42B5B568EC7E90551A1A73CE57@G1W3780.americas.hpqcorp.net"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:292685253;
mso-list-type:hybrid;
mso-list-template-ids:-1612574088 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I noticed that with Keycloak, it
seems that refresh tokens are still valid after they are
used once. This means that Keycloak does <b>not</b>
invalidate Refresh Tokens after they have been used
once.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am able to successfully execute the
following flow:<o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
style="mso-list:Ignore">1.<span style="font:7.0pt
"Times New Roman""> </span></span><!--[endif]-->Obtain
Access Token (A1) and Refresh Token (R1)<o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
style="mso-list:Ignore">2.<span style="font:7.0pt
"Times New Roman""> </span></span><!--[endif]-->Use
Refresh Token (R1) to obtain new Access Token (A2) and
Refresh Token (R2)<o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
style="mso-list:Ignore">3.<span style="font:7.0pt
"Times New Roman""> </span></span><!--[endif]-->Use
same Refresh Token (R1) again to obtain new Access Token
(A3) and Refresh Token (R3)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Can you please tell me if this is the
intended functionality?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thank You,<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt"><br>
</span><b><span
style="font-size:10.0pt;font-family:"Arial",sans-serif">Mikhail
Kuznetsov<o:p></o:p></span></b></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#717172">Software
Engineer<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#717172">Hewlett
Packard Enterprise<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br>
<span>keycloak-dev mailing list</span><br>
<span><a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a></span><br>
<span><a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></span></div>
</blockquote>
</blockquote>
<br>
</body>
</html>