feat: add DISABLE_REFRESH_TOKEN_NBF to disable refresh_token.nbf#653
feat: add DISABLE_REFRESH_TOKEN_NBF to disable refresh_token.nbf#653
DISABLE_REFRESH_TOKEN_NBF to disable refresh_token.nbf#653Conversation
andoks
left a comment
andoks
left a comment
There was a problem hiding this comment.
Hope you don't mind, I had a look in liù of not being able to test it. Only thing I could find was some potential "typos" in the documentation.
| # However, there are bad / lazy client implementations that do not respect | ||
| # either `nbf` in the `refresh_token`, or the `exp` claim in `access_token` | ||
| # and will refresh early while the current access_token is still valid. |
There was a problem hiding this comment.
I have the impression that refresh_tokens usually are opaque (which seems to be supported by at least one of the standards), so I am not sure nbf-checking of refresh-tokens usually would be related to a projects quality 😅
AT expiry though, should probably best be checked (at least for clients like oauth2-proxy)
There was a problem hiding this comment.
Agreed. exp checking on the access_token must be done though and I don't see any good reason why you would refresh a still valid access_token, other than simply being lazy in the implementation.
There was a problem hiding this comment.
I made the refresh token just another JWT to give clients the possibility to inspect it and gain further information. Even though it's non-standard, it's an additional feature.
2 participants
fixes #651