Comments (6)
I just had a sticky beak at facebook's implementation and it looks like in their case, they will actually send you the existing token again if you request it again and the token is not expired.
from oauth2-server-php.
This is a tricky one... I cannot find anything in the spec to address this. The closest reference to this I have found is here:
Refresh tokens are issued to the client by the authorization server and are
used to obtain a new access token when the current access token
becomes invalid or expires, or to obtain additional access tokens
with identical or narrower scope (access tokens may have a shorter
lifetime and fewer permissions than authorized by the resource
owner
This implies that multiple access tokens with "identical or narrower scope" can exist at the time time. Perhaps we should make this configurable, and return the existing token by default.
from oauth2-server-php.
@bshaffer Thanks for the answer.
Facebook's implementation returns your existing access token straight through redirects, but you're originally requesting against the /authorize endpoint. Meaning before returning the existing access token, you can check if its scope match the requested scope of the new authorize request.
If yes, return it. If no, go through the entire OAuth dance again, and generate a new token.
from oauth2-server-php.
@bshaffer: Yes, perhaps we can mimic FB's implementation. How would you suggest this be done? Just a parameter in the $config
array in the constructor of the server?
from oauth2-server-php.
@F21 yes, but more specifically the GrantController
, as the Server
class is nothing more than a convenience wrapper for the three Controllers (if that's confusing, I'm sorry. Not sure how to get around that one).
If the flag is set, we'd just want to perform a call to getAccessToken with the proper checks, and skip the creation. It should be pretty straightforward
from oauth2-server-php.
@bshaffer Would like to have a crack at this. What are your views on implementing this?
Looking at #122, we would implement a check to see if the token exists and return the old token in createAccessToken()
in ResponseType\AccessToken
. Is this still the case?
Should this behaviour be the default behaviour? Should there be a configuration flag to turn this on and off? I see that the Server class has some functionality to set/get configuration. However, this is not being passed to the TokenController at all.
Finally, I am thinking that we should have a "fuzzy parameter" with a default of say 20 seconds. If the token expires 20 seconds from now, we return a new token instead.
from oauth2-server-php.
Related Issues (20)
- After creating User Credentials root Problem when calling refresh_token
- User Credentials grant doesn't verify user_id vs Client Credentials user_id
- Example project is not compatable for php version >= 8.1 HOT 1
- Revoking token
- unable to generate access token
- PKCE Support, please HOT 1
- Integration with Psr\Http\Message\ RequestInterface and ResponseInterface HOT 1
- [QUESTION] OpenID Connect Back-Channel Logout
- Firebase/JWT <6 is considered security risk HOT 6
- Different user database depending on client_id
- Add getToken() to ResourceControllerInterface
- cors issue with authorize.php
- Help with error using JWT?
- Ci4 OAuth2 ACCESS_TOKEN invalid
- No way to distinguish between "invalid" and expired JWT token HOT 8
- Step-by-step Walkthrough not up-to-date HOT 2
- Not possible to inject custom implementation of EncryptionInterface without overriding whole createDefaultIdTokenResponseType() or whole response type
- how do i use cookie
- http://192.168.1.205/authorize.php?response_type=code&client_id=testclient&state=xyz HOT 2
- Device Authorization Grant support
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauth2-server-php.