New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove token from client #431
base: main
Are you sure you want to change the base?
Conversation
@@ -87,6 +87,7 @@ mod tests { | |||
iterations: NonZeroU32::new(100_000).unwrap(), | |||
}, | |||
client_id: "1".to_string(), | |||
refresh_token: None, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm a bit hesitant to couple refresh_token to login method. While it's true certain login methods get a refresh token while others don't, there is no direct relation to users.
I suspect we could quite easily get a refresh token for access tokens by sending the appropriate query params. https://docs.duendesoftware.com/identityserver/v6/tokens/refresh/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not so much which methods return a refresh token and which don't, but wether we actually use the refresh_token for that method when renewing tokens.
At the moment we have the following renewal patterns:
- User with username: We use client_id and refresh_token
- User with apikey: We use client_id and client_secret
- Service account with access token: We use the access token's id and client_secret
So even if the other methods return a refresh_token, it would only be used in the case of user with username.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In that case what do you think about changing the flow to always use refresh_token if set and only falling back to the generic renew if it doesn't exist?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, that can work, but we would also need to pull the client_id from each login_method and into the client, as we need it for the token refresh request.
Type of change
Objective
As mentioned in #388, the
token
andrefresh_token
fields inClient
are never really required directly byClient
. Thetoken
is already directly set within the API clients, and therefresh_token
is only used for the renew function with the user login method.Knowing this, we can remove
token
entirely and moverefresh_token
intoUserLoginMethod::Username
.