[keycloak-dev] Refresh tokens no longer reusable

Marek Posolda mposolda at redhat.com
Wed Oct 14 17:49:06 EDT 2015 

On 14/10/15 20:24, Stian Thorgersen wrote:
> Refresh tokens are no longer reusable. This is done by setting the 
> client sessions timestamp when a new refresh token is issued. If the 
> refresh tokens iat value is less than the client sessions timestamp 
> it's not permitted.
>
> If anyone has time I'd appreciate a review of the changes: 
> https://github.com/keycloak/keycloak/pull/1732
>
> For anyone that runs into issues with this policy there's an option to 
> disable it in the admin console in the realms token settings.
>
> This does not apply to offline tokens (at least yet). We need to add 
> it to offline tokens as well though as it's even more important for 
> those. There's two problems with offline tokens though, firstly the 
> setTimestamp is not permitted on offline client sessions. Secondly if 
> we allow setting it we would have to persist it, unless someone can 
> come up with something clever.
I think we don't need to persist, but just save clientSession with 
updated timestamp into infinispan/memory. Then during startup, the 
timestamp of clientSessions will be updated to startup time similarly 
like we have for lastSessionRefresh of user sessions. The refresh will 
be allowed if (iat == clientSession.timestamp OR startupTime == 
clientSession.timestamp) . In other words, first refresh after server 
restart will be always allowed.

There is some chance that there  can be same refresh token used two 
times (if attacker will do second refresh after server restart). But 
then clientSession timestamp will be updated and regular user won't be 
allowed to refresh his token and will recognize error.


But question is, do we really want refreshTokenReusable to be disabled 
by default? For offline tokens, people will often need to save the 
offline token into their database on application side. With 
refreshTokenReusable disabled, they will need to always write into their 
DB and save new offline token after each refresh.

Marek

>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151014/ff366f71/attachment-0001.html

More information about the keycloak-dev mailing list