Grigory Bushuev
Reputation: 883
Revoking an old oAuth 2.0 refresh token
In exchange to a refresh token we get a new access token and a new refresh token. Should the old refresh token be revoked in this case?
Upvotes: 0
Views: 154
Answers (1)
Hans Z.
Reputation: 54118
The Authorization Server should have invalidated the old refresh token on its own, no action should be required from the Client. In the specification https://www.rfc-editor.org/rfc/rfc6749#section-6 it is a "MAY" for the Authorization Server:
The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client.
But it would be considered bad security hygiene if it didn't do so. Alternatively it could expose a token revocation API as layed out in RFC 7009 https://www.rfc-editor.org/rfc/rfc7009.
Upvotes: 1
Related Questions
- Google OAuth 2 authorization - Error: redirect_uri_mismatch
- What is the purpose of a "Refresh Token"?
- Why Does OAuth v2 Have Both Access and Refresh Tokens?
- JWT refresh token flow
- How to validate an OAuth 2.0 access token for a resource server?
- How is OAuth 2 different from OAuth 1?
- What are the main differences between JWT and OAuth authentication?
- OAuth 2.0: Benefits and use cases — why?
- Refreshing OAuth token using Retrofit without modifying all calls
- How does OAuth 2 protect against things like replay attacks using the Security Token?