Refresh Tokens #90
Refresh Tokens #90
Conversation
|
I'm not sure if this is mentioned elsewhere, in the section 'Refreshing an Access Token' perhaps mention that a refresh can be requested anytime at the discretion of the client; i.e. it does have to wait for an access code to expire before using its refresh token to request a new one. |
|
Good idea...I was trying to summarize the refresh flow and need to cite other sources for guidance. But that one I think should be included |
public/source/index.php
Outdated
| <li><code>access_token</code> (required) - the OAuth 2.0 Bearer Token [[!RFC6750]].<li> | ||
| <li><code>me</code> (required) - the canonical user profile URL for the user this access token corresponds to.</li> | ||
| <li><code>profile</code> (optional) - the user's profile information as defined in <a href="#profile-information">Profile Information</a>.</li> | ||
| <li><code>expires_in</code> (recommended) - The lifetime in seconds of the access token. If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value.</li> |
There was a problem hiding this comment.
❓ if omitted, OAuth2 clients would expect this to not expire:
expires_in (recommended) If the access token expires, the server should reply with the duration of time the access token is granted for.
(via)
There was a problem hiding this comment.
Correct, but that's the definition of expires_in from OAuth2.
There was a problem hiding this comment.
I would remove the "If omitted" clause. That really only makes sense when there are API docs for the service you can refer to. Technically it would still be true in IndieAuth, but there are basically no cases where it would happen so there's no need to call it out. IndieAuth is still extending OAuth so someone can refer to the original OAuth text if they really want to learn this.
public/source/index.php
Outdated
| &refresh_token=xxxxxxxx | ||
| ') ?></pre> | ||
|
|
||
| <p>If valid and authorized, the authorization server issues an access token as noted in <a href="#access-token-response">Access Token Response</a>. If an authorization server chooses to issue a new refresh token, then the refresh token scope MUST be identical to the one included by the client in the request.</p> |
There was a problem hiding this comment.
| <p>If valid and authorized, the authorization server issues an access token as noted in <a href="#access-token-response">Access Token Response</a>. If an authorization server chooses to issue a new refresh token, then the refresh token scope MUST be identical to the one included by the client in the request.</p> | |
| <p>If valid and authorized, the authorization server issues an access token, and optionally a fresh refresh token, as noted in <a href="#access-token-response">Access Token Response</a>. If an authorization server chooses to issue a new refresh token, then the refresh token scope MUST be identical to the one included by the client in the request. If an authorization server chooses to issue a new refresh token, then the previously used refresh token is expected to no longer be valid.</p> |
There was a problem hiding this comment.
That's not actually required in OAuth2, do we want to require it here? It's certainly recommended.
There was a problem hiding this comment.
I would say "optionally a new refresh token"
You could copy the language from OAuth 2.1 around this which includes the recommendation of this refresh token rotation which actually came from the Security BCP
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-03#section-4.3.2
Co-authored-by: Jamie Tanna <[email protected]>
Co-authored-by: Jamie Tanna <[email protected]>
Co-authored-by: Jamie Tanna <[email protected]>
|
Re the CHANGES section, that would be after we merge these, we'd add it. |
|
My comments on #94 (comment) also apply here. The |
|
@jamietanna In your implementation, you send client_id, which isn't in my PR. |
|
Noting my description doesn't talk about client authentication, which is used in Oauth2's refresh, and needs discussion. |
|
Hmm, yes I'll check if my server supports not sending it but agreed that can be optional 👍🏽 |
I was thinking about this. It can be used to check to see if the client matches the original, but if you have a compromised refresh token, you probably have the client ID it came from. |
|
The The motivation for sending it in 2.0 is out of date, but it is still required and still can benefit the authorization server, such as being able to search a smaller index by first adding the |
|
@aaronpk @jamietanna I think I updated everything requested. |
Co-authored-by: Jamie Tanna <[email protected]>
|
Check to see if PR explicitly says that profile information is to be returned in flow. |
| <p>If the request is valid, then the token endpoint can generate an access token and return the appropriate response. The token response is a JSON [[!RFC7159]] object containing the OAuth 2.0 Bearer Token [[!RFC6750]], as well as a property <code>me</code>, containing the canonical user profile URL for the user this access token corresponds to, and, if the <code>profile</code> scope was requested, the property <code>profile</code> with the user's profile information as defined in <a href="#profile-information">Profile Information</a>. For example:</p> | ||
| <p>If the request is valid, then the token endpoint can generate an access token and return the appropriate response. The token response is a JSON [[!RFC7159]] object containing:</p> | ||
|
|
||
| <ul> |
There was a problem hiding this comment.
indentation is mismatched from other elements above/below
Tried to add in refresh tokens and expiration.