This repository has been archived on 2023-08-14. You can view files and clone it, but cannot push or open issues or pull requests.
dex/server
Eric Chiang f778b2d33b server: update refresh tokens instead of deleting and creating another
The server implements a strategy called "Refresh Token Rotation" to
ensure refresh tokens can only be claimed once.

ref: https://tools.ietf.org/html/rfc6819#section-5.2.2.3

Previously "refresh_token" values in token responses where just the
ID of the internal refresh object. To implement rotation, when a
client redeemed a refresh token, the object would be deleted, a new
one created, and the new ID returned as the new "refresh_token".

However, this means there was no consistent ID for refresh tokens
internally, making things like foreign keys very hard to implement.
This is problematic for revocation features like showing all the
refresh tokens a user or client has out.

This PR updates the "refresh_token" to be an encoded protobuf
message, which holds the internal ID and a nonce. When a refresh
token is used, the nonce is updated to prevent reuse, but the ID
remains the same. Additionally it adds the timestamp of each
token's last use.
2017-01-11 12:07:48 -08:00
..
internal server: update refresh tokens instead of deleting and creating another 2017-01-11 12:07:48 -08:00
api_test.go server: modify error messages to use logrus. 2016-12-13 11:52:44 -08:00
api.go Merge pull request #740 from ericchiang/fix-comment-typos 2016-12-13 13:17:50 -08:00
doc.go initial commit 2016-07-26 15:51:24 -07:00
handlers_test.go Allow CORS on discovery endpoint 2017-01-08 19:22:39 +01:00
handlers.go server: update refresh tokens instead of deleting and creating another 2017-01-11 12:07:48 -08:00
oauth2_test.go server: fixes for the implicit and hybrid flow 2017-01-10 16:20:17 -08:00
oauth2.go server: fixes for the implicit and hybrid flow 2017-01-10 16:20:17 -08:00
rotation_test.go initial commit 2016-07-26 15:51:24 -07:00
rotation.go server: fixes for the implicit and hybrid flow 2017-01-10 16:20:17 -08:00
server_test.go server: update refresh tokens instead of deleting and creating another 2017-01-11 12:07:48 -08:00
server.go server: fixes for the implicit and hybrid flow 2017-01-10 16:20:17 -08:00
templates_test.go *: add theme based frontend configuration 2016-11-30 17:20:21 -08:00
templates.go server: add error HTML templates with error description. 2016-12-16 10:42:54 -08:00