[keycloak-dev] Same Refresh token can be used multiple times to obtain access token
Marek Posolda
mposolda at redhat.com
Tue Oct 6 13:16:18 EDT 2015
Hi Raghu,
From the specs, it looks to me that this is not anything mandatory. The
paragraph is starting "For example". Feel free to create JIRA, but I
personally can't promise anything regarding this...
Marek
On 06/10/15 17:37, Raghu Prabhala wrote:
> Hi Marek - section 10.4 of rfc6749 mentions that the prior refresh
> token should be invalidated but retained by the server - to handle
> compromise of refresh tokens as they are long lived.
>
> Thanks,
> Raghu
>
> Sent from my iPhone
>
> On Oct 6, 2015, at 10:53 AM, Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
>
>> You're right, same refresh token can be used more times. However it
>> is still better to use refresh token R2 in your step 3 instead of
>> using old refresh token R1 because R2 has updated timestamp (each
>> token is valid just for 30 minutes or so, depends on the configured
>> SSO session idle timeout).
>>
>> Or are you referring that this is security issue and potential
>> possibility to Man in the middle? If you use HTTPS (which is
>> recommended for production environment, and especially if you have
>> unsecured/untrusted networkl), this shouldn't be an issue.
>>
>> Marek
>>
>> On 06/10/15 16:34, Kuznetsov, Mike wrote:
>>>
>>> Hello,
>>>
>>> I noticed that with Keycloak, it seems that refresh tokens are still
>>> valid after they are used once. This means that Keycloak does *not*
>>> invalidate Refresh Tokens after they have been used once.
>>>
>>> I am able to successfully execute the following flow:
>>>
>>> 1.Obtain Access Token (A1) and Refresh Token (R1)
>>>
>>> 2.Use Refresh Token (R1) to obtain new Access Token (A2) and Refresh
>>> Token (R2)
>>>
>>> 3.Use same Refresh Token (R1) again to obtain new Access Token (A3)
>>> and Refresh Token (R3)
>>>
>>> Can you please tell me if this is the intended functionality?
>>>
>>> Thank You,
>>>
>>>
>>> *Mikhail Kuznetsov*
>>>
>>> Software Engineer
>>>
>>> Hewlett Packard Enterprise
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151006/49387268/attachment.html
More information about the keycloak-dev
mailing list