[keycloak-dev] Same Refresh token can be used multiple times to obtain access token
Kuznetsov, Mike
mikhail.kuznetsov at hpe.com
Tue Oct 6 10:34:07 EDT 2015
Hello,
I noticed that with Keycloak, it seems that refresh tokens are still valid after they are used once. This means that Keycloak does not invalidate Refresh Tokens after they have been used once.
I am able to successfully execute the following flow:
1. Obtain Access Token (A1) and Refresh Token (R1)
2. Use Refresh Token (R1) to obtain new Access Token (A2) and Refresh Token (R2)
3. Use same Refresh Token (R1) again to obtain new Access Token (A3) and Refresh Token (R3)
Can you please tell me if this is the intended functionality?
Thank You,
Mikhail Kuznetsov
Software Engineer
Hewlett Packard Enterprise
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151006/2a537f14/attachment.html
More information about the keycloak-dev
mailing list