I am implementing an oauth server using spring oauth. I notice that spring's implementation re issues the same access token if not expired from the token endpoint. However the behavior is different while refreshing access tokens. A new token is reissued each time, are there any concerns to keep in mind if I were to reissue the same un expired access token on receiving a valid refresh request.
Asked
Active
Viewed 957 times
1 Answers
0
The OAuth Spec section-6 specifies that:
The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token. The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client. If a new refresh token is issued, the refresh token scope MUST be identical to that of the refresh token included by the client in the request.
There does not seem to be a requirement that the access token is brand new.
I think the main concern is to ensure that you do not change the expiration date on an existing token. And that you correctly return to the client an accurate expires_in property which reflects when the token will expire.
In addition, it might make the semantics confusing for clients. The refresh is usually done when a token is expired, and the client wants a new one.
I can imagine some odd edge cases. A client could send a request to refresh a token a few seconds before it is expired (perfectly valid logic for a client), but still receive back the same token which is almost expired.
Community
- 1
- 1
Sanketh Katta
- 5,961
- 2
- 29
- 30
-
I would like clients to pre-fetch access tokens before the actual expiration. – VDev Feb 01 '17 at 23:01
-
In that case, you should probably issue new tokens on refresh, otherwise clients would not be able to pre-fetch. – Sanketh Katta Feb 13 '17 at 17:29