Hi Raghu,
From the specs, it looks to me that this is not anything mandatory. The
paragraph is starting "For example". Feel free to create JIRA, but I
personally can't promise anything regarding this...
Marek
On 06/10/15 17:37, Raghu Prabhala wrote:
Hi Marek - section 10.4 of rfc6749 mentions that the prior refresh
token should be invalidated but retained by the server - to handle
compromise of refresh tokens as they are long lived.
Thanks,
Raghu
Sent from my iPhone
On Oct 6, 2015, at 10:53 AM, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
> You're right, same refresh token can be used more times. However it
> is still better to use refresh token R2 in your step 3 instead of
> using old refresh token R1 because R2 has updated timestamp (each
> token is valid just for 30 minutes or so, depends on the configured
> SSO session idle timeout).
>
> Or are you referring that this is security issue and potential
> possibility to Man in the middle? If you use HTTPS (which is
> recommended for production environment, and especially if you have
> unsecured/untrusted networkl), this shouldn't be an issue.
>
> Marek
>
> On 06/10/15 16:34, Kuznetsov, Mike wrote:
>>
>> Hello,
>>
>> I noticed that with Keycloak, it seems that refresh tokens are still
>> valid after they are used once. This means that Keycloak does *not*
>> invalidate Refresh Tokens after they have been used once.
>>
>> I am able to successfully execute the following flow:
>>
>> 1.Obtain Access Token (A1) and Refresh Token (R1)
>>
>> 2.Use Refresh Token (R1) to obtain new Access Token (A2) and Refresh
>> Token (R2)
>>
>> 3.Use same Refresh Token (R1) again to obtain new Access Token (A3)
>> and Refresh Token (R3)
>>
>> Can you please tell me if this is the intended functionality?
>>
>> Thank You,
>>
>>
>> *Mikhail Kuznetsov*
>>
>> Software Engineer
>>
>> Hewlett Packard Enterprise
>>
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev