Menu
Whenever we refresh our authorization using DotNetOpenAuth a new Oauth2.0 RefreshToken is enclosed in the response.
Since the RefreshToken itself is a long-lived token what is the reason we get a new RefreshToken after every request?
And what is the best way to handle this new RefreshTokens, should we store the new RefreshToken everytime we refresh our authorization or should we just keep the old RefreshToken and ignore the new one?
Also see this bit of example code to provide some context.
var serviceDescription = new AuthorizationServerDescription
{
ProtocolVersion = ProtocolVersion.V20,
TokenEndpoint = new Uri(Constants.TokenEndPoint)
};
var client = new WebServerClient(serviceDescription,
Constants.ClientId, Constants.ClientSecret);
var authorization = new AuthorizationState()
{
//Insert our stored RefreshToken
RefreshToken = TokenStore.Instance.RefreshToken
};
if (client.RefreshAuthorization(authorization))
{
//Store or ignore the new RefreshToken?
var NewRefreshToken = authorization.RefreshToken;
}
639
The refresh token you get back in the response may or may not be included in the response. If it is present, the spec says you must use the new refresh token for all future token refreshes. If you use the old one again, the authorization server may revoke authorization entirely.
The reason for this, from my understanding of the Working Group discussions, is that by changing the refresh token on the client periodically, the authorization server can detect if the refresh token has been accidentally leaked to a 3rd party. Since both the approved client and the 3rd party would be using the same refresh token, if one party received a new refresh token, the other would still use the old one. When the old one comes in then, the fact that there are two clients using the same refresh token would tip off the auth server of a security breach, and it could shut it down.
168
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
