Hi Torsten,
This is the module I much prefer. By default all refresh_tokens are
bound to the user's authenticated session. When the authentication
session is terminated, the refresh_tokens are invalidated. If a client
wants to get a refresh_token that is NOT bound to an authentication
session, then it much explicitly request the "offline_access" scope
which then provides a consent interaction with the user which allows the
user to know that this client wants to access their resources even when
the user isn't logged in (present). This also provides the AS with the
ability to control which clients are authorized to request
"offline_access" and hence restrict that capability to know/approved
clients.
We've implemented this module in two different Authorization Servers.
Thanks,
George
On 11/15/18 9:28 AM, Torsten Lodderstedt wrote:
Hi all,
I‘m preparing a new section on Refresh Token best practices for the Security
BCP. I‘m wondering whether anyone has implemented a binding of the refresh
token‘s expiration/revocation with the state of the session the refresh token
was issued in/for. So do you revoke refresh tokens when the user logs out from
the AS or the session terminated for other reasons?
kinds regards,
Torsten.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
