[keycloak-dev] Refresh tokens no longer reusable
Stian Thorgersen
sthorger at redhat.com
Wed Oct 14 14:24:27 EDT 2015
Refresh tokens are no longer reusable. This is done by setting the client
sessions timestamp when a new refresh token is issued. If the refresh
tokens iat value is less than the client sessions timestamp it's not
permitted.
If anyone has time I'd appreciate a review of the changes:
https://github.com/keycloak/keycloak/pull/1732
For anyone that runs into issues with this policy there's an option to
disable it in the admin console in the realms token settings.
This does not apply to offline tokens (at least yet). We need to add it to
offline tokens as well though as it's even more important for those.
There's two problems with offline tokens though, firstly the setTimestamp
is not permitted on offline client sessions. Secondly if we allow setting
it we would have to persist it, unless someone can come up with something
clever.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151014/952078ad/attachment.html
More information about the keycloak-dev
mailing list