Passport: Refresh tokens are one time usage?

Created on 13 Feb 2018  路  4Comments  路  Source: laravel/passport

Hi
I have a laravel application using passport but the refresh_token seems weird.

I thought refresh_tokens can be kept (hence why long lived) to request new access_tokens until revoked/expire

but within laravel passport - it is a one time usage.

I was in the assumption from the following articles:

https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/
https://medium.com/@bantic/more-oauth-2-0-surprises-the-refresh-token-1831d71f4af6

that indeed refresh_tokens doesn't refresh the access_token but grant you new ones but while granting new ones - it grant me a new refresh_token to use and actually revoked the old one.

1) is this weird behavior? or is this how it is suppose to be??
2) is there a way to make the refresh_token be reusable to grant access_tokens until revoke/expire

picture beerbuddha

Most helpful comment

As described in the RFC:

The authorization server MAY issue a new refresh token, in which case
the client MUST discard the old refresh token and replace it with the
new refresh token. The authorization server MAY revoke the old
refresh token after issuing a new refresh token to the client. If a
new refresh token is issued, the refresh token scope MUST be
identical to that of the refresh token included by the client in the
request.

It's not a MUST that the server revokes the refresh_token. Maybe Passport should be configurable to allow this.

picture leroy0211 on 6 Apr 2018
👍3

All 4 comments

The refresh token should not be revoked on the first use. This is discussed in an oauth2-server issue. But the issue is closed since oauth2-server actually does not implement that. So this is a laravel/passport bug.

https://github.com/thephpleague/oauth2-server/issues/735#event-1492767881

halaei picture halaei on 2 Mar 2018

As described in the RFC:

The authorization server MAY issue a new refresh token, in which case
the client MUST discard the old refresh token and replace it with the
new refresh token. The authorization server MAY revoke the old
refresh token after issuing a new refresh token to the client. If a
new refresh token is issued, the refresh token scope MUST be
identical to that of the refresh token included by the client in the
request.

It's not a MUST that the server revokes the refresh_token. Maybe Passport should be configurable to allow this.

leroy0211 picture leroy0211 on 6 Apr 2018
👍3

Yes, by RFC it is optional, and it looks like most platforms don't re-issue refresh tokens, but as @leroy0211 said, it would be nice if would be configurable.

daniti picture daniti on 3 May 2018

As @leroy0211 stated, this is optional. You're always free to overwrite the default components of passport or send in a PR to allow this to be configured.

driesvints picture driesvints on 15 Oct 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Adesubomi picture Adesubomi  路  4Comments
seriousjelly picture seriousjelly  路  3Comments
cookiejarblush picture cookiejarblush  路  4Comments
huiyonghkw picture huiyonghkw  路  3Comments
soubhikchatterjee picture soubhikchatterjee  路  4Comments