marcv
Reputation: 1976
Shouldn't the old access token be invalidated by a refresh call?
When I refresh an OAuth access token A, I get an new access token B. But A is still valid, I can still use it.
Shouldn't the old access token be invalidated by the refresh operation? If not, if it's "by design", could someone give me details about why?
Note: using Symfony with the FOSOAuthServerBundle bundle.
Upvotes: 3
Views: 158
Answers (1)
Spomky-Labs
Reputation: 16725
The RFC6749 section 1.5 indicates that:
Refresh tokens are issued to the client by the authorization server and are used to obtain [...] additional access tokens with identical or narrower scope
As far as I understand, the access token A may be still valid when an access token B is issued with the refreh token.
Upvotes: 3
Related Questions
- What is the purpose of a "Refresh Token"?
- Where to store the refresh token on the Client?
- Why Does OAuth v2 Have Both Access and Refresh Tokens?
- Not receiving Google OAuth refresh token
- OAuth 2.0: Benefits and use cases — why?
- Why do access tokens expire?
- How to secure a refresh token?
- OAuth2: Should a refresh token be invalidated after receiving a new access token?
- Get a new token with the refresh token symfony oauth2
- Get refresh token with FOSOAuthServerBundle