Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
560 views
in Technique[技术] by (71.8m points)

oauth 2.0 - Does the refresh token expire and if so when?

I have read the PODIO documentation. I have in particular contemplated the following statement concerning use of the refresh_token:

This request returns the same data as above, and you can continue to do this over and over again, to keep your application authenticated without having to ask the user to re-authenticate.

Does this mean that the refresh_token will be indefinitely valid or does it expire:

  1. X days after being issued; or
  2. X days after the last use of it for obtaining a new access_token

EDIT: Please see this PODIO Thread which asks the same questions but does not seem to give any conclusive answers about the PODIO implementation of the Oauth2.0 protocol.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

The answer of your question:

Does this mean that the refresh_token will be indefinitely valid or does it expire?

...can be concluded from the section 1.5 and section 10.4 of the OAuth 2.0 specification.

Section 1.5 Introduction of refresh_token states:

Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope (access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner)

section 10.4 Security Considerations for refresh_token states:

The authorization server MUST verify the binding between the refresh token and client identity whenever the client identity can be authenticated. When client authentication is not possible, the authorization server SHOULD deploy other means to detect refresh token abuse.

For example, the authorization server could employ refresh token
rotation in which a new refresh token is issued with every access
token refresh response. The previous refresh token is invalidated but retained by the authorization server. If a refresh token is
compromised and subsequently used by both the attacker and the
legitimate client, one of them will present an invalidated refresh
token, which will inform the authorization server of the breach.

It can be concluded that if the authorization_server is able to verify the binding between a refresh_token and the client to whom it was issued then refresh_token can be used to obtain multiple access_token and will never expire. else the authorization sever will invalidate the old refresh_token and generate new refresh_token with every access token refresh response.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

1.4m articles

1.4m replys

5 comments

57.0k users

...