Reputation: 25457
refresh_token only works once
I'm scratching my head over this.
Using a JdbcTokenStore:
I am able to login and get an access_token as well as a refresh_token from the oauth/token endpoint. The web client stores both tokens. After the access_token expires, and a HTTP 401 has been sent, the client attempts to get a new access_token by presenting the refresh_token.
The new access_token and refresh_token get stored again on the client side.
However, the second time this is done I am getting an invalid_grant error telling me the refresh_token would be wrong.
This is the log:
2018-12-17T20:24:42.193Z INFO [main.js:1033] Login success.
...
ngx-logger.js:250 2018-12-17T20:24:42.195Z INFO [main.js:1034] {
"access_token": .72UGm5604uDyuY0eDSKE3s_Wr9GzhOFyYMsWoYKxdGs",
"token_type": "bearer",
"refresh_token": .5tucDhuMJciUufeosI-FG1lO5WaWQCq9_7G7kDPGmMc",
"expires_in": 4,
"scope": "read write",
"jti": "495c03d9-c19d-4239-9d94-9e96c49844f5"
}
ngx-logger.js:256 2018-12-17T20:24:42.198Z DEBUG [main.js:748] User is logged in.!
...
ngx-logger.js:250 2018-12-17T20:24:54.438Z INFO [main.js:843] Handling 401 error
ngx-logger.js:250 2018-12-17T20:24:54.441Z INFO [main.js:845] Refreshing access token
ngx-logger.js:250 2018-12-17T20:24:54.443Z INFO [main.js:1044] Attempting to refresh access token
ngx-logger.js:250 2018-12-17T20:24:54.446Z INFO [main.js:1045] refresh_token: .5tucDhuMJciUufeosI-FG1lO5WaWQCq9_7G7kDPGmMc
...
ngx-logger.js:250 2018-12-17T20:24:54.643Z INFO [main.js:854] Access token refreshed.
ngx-logger.js:250 2018-12-17T20:24:54.651Z INFO [main.js:855] {
"access_token": .gets297iCBDdNNK2C29PBTxRP1VdM9ok3ilo1g5Ow0A",
"token_type": "bearer",
"refresh_token": .NcJQOWDDo1q474LzvCeh37BjCn14I3E6e03JuWO208Y",
"expires_in": 4,
"scope": "read write",
"jti": "0fa0c63e-2027-4780-9ce3-501608cdaee5"
}
...
ngx-logger.js:247 2018-12-17T20:25:13.162Z ERROR [main.js:863] {
"headers": {
"normalizedNames": {},
"lazyUpdate": null
},
"status": 400,
"statusText": "OK",
"url": "https://192.168.1.144:8443/oauth/token",
"ok": false,
"name": "HttpErrorResponse",
"message": "Http failure response for https://192.168.1.144:8443/oauth/token: 400 OK",
"error": {
"error": "invalid_grant",
"error_description": "Invalid refresh token: .NcJQOWDDo1q474LzvCeh37BjCn14I3E6e03JuWO208Y"
}
}
I have no idea what the problem might be here. Am I missing something?
Upvotes: 1
Views: 781
Answers (1)
Reputation: 25457
Turns out I had to set the TokenEnhancerChain to not reuse refresh tokens. It's obviously true per default because that's why we use refresh_tokens - they should behave just like access_tokens (If you're confused now: this was sarcasm - I have no idea why the default would be true and I'd be delighted if somebody could clarify this).
Anyway. In your configuration you want to set (something like):
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
TokenEnhancerChain enhancerChain = new TokenEnhancerChain();
enhancerChain.setTokenEnhancers(Collections.singletonList(accessTokenConverter));
endpoints.tokenStore(tokenStore)
.accessTokenConverter(accessTokenConverter)
.tokenEnhancer(enhancerChain)
.reuseRefreshTokens(false) // <-------------- Set to false
.authenticationManager(authenticationManager);
}
Related issue on github: #867
Upvotes: 2
Related Questions
- Refresh token is not returned in oauth/token response of spring
- Spring OAuth2 Server is not responding with refresh token after authorization code flow
- spring oauth2 how to get a new refresh token every time
- OAuth2-SpringBoot - Refresh token
- refresh token is null using Spring Security OAuth2
- Spring Boot Oauth2 Refresh Token - IllegalStateException
- Refresh token not coming with authorize endpoint in oauth2
- Spring OAuth2 refresh token to change after refreshing access token
- Spring OAuth2 not giving refresh token
- Spring OAuth2 Refresh token