[keycloak-dev] Same Refresh token can be used multiple times to obtain access token

Raghu Prabhala prabhalar at yahoo.com
Tue Oct 6 11:37:46 EDT 2015 

Hi Marek - section 10.4 of rfc6749 mentions that the prior refresh token should be invalidated but retained by the server - to handle compromise of refresh tokens as they are long lived. 

Thanks,
Raghu

Sent from my iPhone

> On Oct 6, 2015, at 10:53 AM, Marek Posolda <mposolda at redhat.com> wrote:
> 
> You're right, same refresh token can be used more times. However it is still better to use refresh token R2 in your step 3 instead of using old refresh token R1 because R2 has updated timestamp (each token is valid just for 30 minutes or so, depends on the configured SSO session idle timeout).
> 
> Or are you referring that this is security issue and potential possibility to Man in the middle? If you use HTTPS (which is recommended for production environment, and especially if you have unsecured/untrusted networkl), this shouldn't be an issue.
> 
> Marek
> 
>> On 06/10/15 16:34, Kuznetsov, Mike wrote:
>> Hello,
>>  
>> I noticed that with Keycloak, it seems that           refresh tokens are still valid after they are used once. This means that Keycloak does not invalidate Refresh Tokens after they have been used once.
>>  
>> I am able to successfully execute the following flow:
>> 1.       Obtain Access Token (A1) and Refresh Token (R1)
>> 2.       Use Refresh Token (R1) to obtain           new Access Token (A2) and Refresh Token (R2)
>> 3.       Use same Refresh Token (R1) again to obtain new Access Token (A3) and Refresh Token (R3)
>>  
>>  
>> Can you please tell me if this is the intended functionality?
>>  
>> Thank You,
>> 
>> Mikhail Kuznetsov
>> Software Engineer
>> Hewlett Packard Enterprise
>>  
>> 
>> 
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151006/4db7a8d5/attachment-0001.html

More information about the keycloak-dev mailing list