New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: always rotate refresh tokens for public clients #2846
fix: always rotate refresh tokens for public clients #2846
Conversation
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/187475484 The labels on this github issue will be updated when the story is started. |
@mikeroda this PR has conflicts from the begin, so you need to resolve conflicts / rebase your branch |
When refreshing a token, always rotate for public clients, thus not requiring rotation to be enabled for all clients and preventing the possible error condition for public clients. Change-Id: I6ab80dd8b1928ab55863cea52849ff22f35c2779
fec7d75
to
cefc301
Compare
@mikeroda will check the PR and we take it on the list , means if we do not see a problem it should come into dev , end of next week |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok from my side @swalchemist can you check from broadcom side.
Only touches your clients if they use public clients...
Hi we have not looked at this PR yet. |
Ok can you please look and vote if it needs to be reverted |
We do have a public client. This change seems like a breaking change?
This current change makes an exception to the flag and always rotate public clients's refresh token, and potentially breaking the backward compatibility brought by the flag.
Could you explain this? If you wish to rotate the refresh tokens, why not just set |
Ultimately we want to get to always rotating refresh tokens for public clients. The problem with the flag is it affects all clients. This doesn't seem like an adverse change because if you didn't set the flag and attempted to refresh a token with a public client, you would get "Refresh without client authentication not allowed" error. Now you would get a successful response and newly rotated refresh token. So I don't see how this breaks anything. |
I see. Currently, UAA doesn't allow token refresh for public clients when |
When refreshing a token, always rotate for public clients, thus not requiring rotation to be enabled for all clients and preventing the possible error condition for public clients. Change-Id: I6ab80dd8b1928ab55863cea52849ff22f35c2779
When refreshing a token, always rotate for public clients, thus not requiring rotation to be enabled for all clients and preventing the possible error condition for public clients.