You're right, same refresh token can be used more times. However it is
still better to use refresh token R2 in your step 3 instead of using old
refresh token R1 because R2 has updated timestamp (each token is valid
just for 30 minutes or so, depends on the configured SSO session idle
timeout).
Or are you referring that this is security issue and potential
possibility to Man in the middle? If you use HTTPS (which is recommended
for production environment, and especially if you have
unsecured/untrusted networkl), this shouldn't be an issue.
Marek
On 06/10/15 16:34, Kuznetsov, Mike wrote:
Hello,
I noticed that with Keycloak, it seems that refresh tokens are still
valid after they are used once. This means that Keycloak does *not*
invalidate Refresh Tokens after they have been used once.
I am able to successfully execute the following flow:
1.Obtain Access Token (A1) and Refresh Token (R1)
2.Use Refresh Token (R1) to obtain new Access Token (A2) and Refresh
Token (R2)
3.Use same Refresh Token (R1) again to obtain new Access Token (A3)
and Refresh Token (R3)
Can you please tell me if this is the intended functionality?
Thank You,
*Mikhail Kuznetsov*
Software Engineer
Hewlett Packard Enterprise
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev