[keycloak-user] Workflow Refresh token
Antoine Carton
antoine at saagie.com
Mon Jul 3 09:29:28 EDT 2017
Hello,
Suppose a client "C" sends a request with an expired access token, to an
application "A".
Suppose that application "A" has the refresh token of client "C" and that
"A" automatically uses this refresh token so that everything is transparent
for client "C" until the refresh token expires as well.
The trouble is that a leak of the access token (yes, access token) of
client "C" will have the same result as a leak of the refresh token.
Is it a good practice to implement automatic refresh of the token? If it's
not, how should we use the refresh token?
The Oauth 2.0 RFC (https://tools.ietf.org/html/rfc6819#section-5.2.2.2)
explains that we have to bind the refresh token to the client_id to avoid
this situation. However, I am not able to understand what it means for
application "A"?
Thanks!
More information about the keycloak-user
mailing list