Doorkeeper: Refresh Token gets new token without client id and client secret

Created on 25 Sep 2018  路  7Comments  路  Source: doorkeeper-gem/doorkeeper

According to the docs, https://github.com/doorkeeper-gem/doorkeeper/wiki/API-endpoint-descriptions-and-examples#curl-command-refresh-token-grant

client id and secret are required. But, refresh token grant type works even though client id and client secret are not specified.

In /initializers/doorkeeper.rb , use_refresh_token has been specified.

Steps to reproduce

curl -X POST \
http://localhost:3030/oauth/token \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/json' \
-d '{
"grant_type": "refresh_token",
"refresh_token": "8682......fabee5"
}'

Expected behavior

Expected a 401

Actual behavior

Got a new access token

Ruby version: 2.51

Gemfile.lock: doorkeeper (5.0.0)

bug

All 7 comments

also, re-using the same refresh token (without specify client id and secret) will generate new access tokens. Do refresh token get revoked after one time use?

Hi @hszeto . I took a deep look into OAuth 2.0 draft, Section 6. Refreshing an Access Token and wrote a spec for mentioned behavior.

Yes, it seems like we have a bug here.

What about revoke refresh token after use, take a look into RFC:

The authorization server MAY revoke the old
refresh token after issuing a new refresh token to the client.

As far as I remember we have such an option in the Doorkeeper configuration, but fix me if I wrong

thanks for the quick work. Looks good to me.

Dooh, closed automatically with GitHub.

Merged to master and will be released with next release. Also I need to backport it to 4.x version

Thanks @hszeto for clear explanation and upping this issue!

Also I need to backport it to 4.x version

@nbulaj this issue is years old so I may be too late, but it looks like this never made it into 4.x: https://github.com/doorkeeper-gem/doorkeeper/blob/v4.4.3/lib/doorkeeper/oauth/refresh_token_request.rb#L83-L85

Yep, my fault @seanstory . Thanks for reporting!

But for now I don't have plans to support 4.x version of the gem. I'm even planning to drop support for 5.0 and 5.1. So I recommend to update the gem to latest version. Thanks once again!

Was this page helpful?
0 / 5 - 0 ratings