Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not issue refresh token when maximum session age is reached #435

Merged
merged 14 commits into from
Jan 21, 2025
Merged

Do not issue refresh token when maximum session age is reached #435

merged 14 commits into from
Jan 21, 2025

Conversation

byewokko
Copy link
Collaborator

@byewokko byewokko commented Jan 13, 2025
edited
Loading

Summary

  • When a token request hits maximum SSO session age, the client session can no longer be refreshed. Token response contains only the access token and ID token - no refresh token.
  • Session maximum_age must be greater than the default expiration. This is enforced at the app startup.
  • BREAKING 💥 When a public client includes a client secret in their token request, the server responds with an error instead of ignoring it.

Compatibility

  • ASAB Webui v24.47 or newer (Dummy client secret removed in !498)

@byewokko byewokko added the bug Something isn't working label Jan 13, 2025
@byewokko byewokko self-assigned this Jan 13, 2025
@byewokko byewokko merged commit 403ea4d into main Jan 21, 2025
5 checks passed
@byewokko byewokko deleted the fix/no-refresh-token-at-last branch January 21, 2025 11:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@byewokko byewokko

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@byewokko