You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Jose Escobar <eb...@gmail.com> on 2014/12/11 16:59:39 UTC

OAuth 2.0 refreshAccessToken revokes refreshToken

Hello to all,

I'm using CXF to implement an OAuth2 server with password and refresh_token
grant types.

Everything work correct, but I found a strange behaviour
on refreshAccessToken method of AbstractOAuthDataProvider. In this method
the refreshToken is revoked and a new one is generated, and also a new
access token is generated. Expected work is just to refresh the access
token, not also the refresh token.

I know I can override this on my implementation of
AbstractOAuthDataProvider abstract class (I've done it), but why is that
behavior the default one?

Best regards,

Re: OAuth 2.0 refreshAccessToken revokes refreshToken

Posted by Sergey Beryozkin <sb...@gmail.com>.

Hi
On 11/12/14 15:59, Jose Escobar wrote:
> Hello to all,
>
> I'm using CXF to implement an OAuth2 server with password and refresh_token
> grant types.
>
> Everything work correct, but I found a strange behaviour
> on refreshAccessToken method of AbstractOAuthDataProvider. In this method
> the refreshToken is revoked and a new one is generated, and also a new
> access token is generated. Expected work is just to refresh the access
> token, not also the refresh token.
>
> I know I can override this on my implementation of
> AbstractOAuthDataProvider abstract class (I've done it), but why is that
> behavior the default one?
As far as I understand it is the best practice, to recycle the actual 
refresh token too when the opportunity arises, it has a longer life 
cycle and as such the risk of it possibly being misused is somewhat
higher.

https://tools.ietf.org/html/rfc6749#section-6
mentions "The authorization server MAY issue a new refresh token..."

The threat model doc also talks about it:

https://tools.ietf.org/html/rfc6819#section-5.2.2.3

Cheers, Sergey
>
> Best regards,
>