According to the docs, https://github.com/doorkeeper-gem/doorkeeper/wiki/API-endpoint-descriptions-and-examples#curl-command-refresh-token-grant
client id and secret are required. But, refresh token grant type works even though client id and client secret are not specified.
In /initializers/doorkeeper.rb , use_refresh_token has been specified.
curl -X POST \
http://localhost:3030/oauth/token \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/json' \
-d '{
"grant_type": "refresh_token",
"refresh_token": "8682......fabee5"
}'
Expected a 401
Got a new access token
Ruby version: 2.51
Gemfile.lock: doorkeeper (5.0.0)
also, re-using the same refresh token (without specify client id and secret) will generate new access tokens. Do refresh token get revoked after one time use?
Hi @hszeto . I took a deep look into OAuth 2.0 draft, Section 6. Refreshing an Access Token and wrote a spec for mentioned behavior.
Yes, it seems like we have a bug here.
What about revoke refresh token after use, take a look into RFC:
The authorization server MAY revoke the old
refresh token after issuing a new refresh token to the client.
As far as I remember we have such an option in the Doorkeeper configuration, but fix me if I wrong
thanks for the quick work. Looks good to me.
Dooh, closed automatically with GitHub.
Merged to master and will be released with next release. Also I need to backport it to 4.x version
Thanks @hszeto for clear explanation and upping this issue!
Also I need to backport it to 4.x version
@nbulaj this issue is years old so I may be too late, but it looks like this never made it into 4.x: https://github.com/doorkeeper-gem/doorkeeper/blob/v4.4.3/lib/doorkeeper/oauth/refresh_token_request.rb#L83-L85
Yep, my fault @seanstory . Thanks for reporting!
But for now I don't have plans to support 4.x version of the gem. I'm even planning to drop support for 5.0 and 5.1. So I recommend to update the gem to latest version. Thanks once again!