If the blacklist app is enabled mark rotated refresh tokens as outstanding#519
Conversation
Andrew-Chen-Wang
left a comment
Andrew-Chen-Wang
left a comment
There was a problem hiding this comment.
I'm confused what this is trying to do; can you clarify? Are you just abstracting code?
|
Just came across this because I believe I have the same issue. When a token is initially created, it is added to the OutstandingToken table. However, when that same token is refreshed, the new refresh token isn't added to the new OutstandingToken table, causing it to then be rejected when there is an attempt to use it to refresh. Is that right @vainu-arto? |
In my case refreshing tokens succeeds. At least the version of this lib I'm running doesn't require that the token exists in OutstandingToken before allowing it to be refreshed. |
…tanding The token blacklisting itself works without this (the OutstandingToken object will be created when adding a token to the blacklist), but the list of outstanding tokens would very quickly get out of date in the presence of refresh token rotation, and be unusable for any other purpose (for example being able to tell which users have valid outstanding tokens).
for more information, see https://pre-commit.ci
vainu-arto
force-pushed
the
create-outstanding-token-for-rotated-refresh-token
branch
from
a79b9de to
77ffaca
Compare
|
@Andrew-Chen-Wang The fix (without the tests) was already applied as #866, should we just close this PR? |
|
seems fixed from recent pr |
3 participants
The token blacklisting itself works without this (the OutstandingToken
object will be created when adding a token to the blacklist), but the list
of outstanding tokens would very quickly get out of date in the presence of
refresh token rotation, and be unusable for any other purpose (for example
being able to tell which users have valid outstanding tokens).
Fixes #363 and #25