Reputation: 1
Use refresh token grant type but keep existing refresh token
Using the Doorkeeper Ruby gem, I would like to get a new access token by sending a POST to /oauth/tokens with the body
{ grant_type: :refresh_token, refresh_token: 'abc123', scope: :A }
I do not want the response to include a replacement refresh token, however. Even if I explicitly set the config use_refresh_token(false), the response always contains a new refresh token. Is there any way to avoid generating a new refresh token while using grant_type: :refresh_token?
The reason I'd like to do this is so that the client can request a JWT with fewer scopes, while still holding onto the existing refresh token with more scopes.
Upvotes: 0
Views: 878
Answers (1)
Reputation: 29208
The refresh token rotation behaviour is becoming standard since it is part of OAuth 2.1 specs.
The refresh token should not lose any scopes though, and the behaviour should be like this. It is worth doing a quick test with Doorkeeper, via a couple of curl requests:
At the time the user authenticates, Doorkeeper stores the scopes (which a user may have consented to) against the delegation - somewhere in its database. These may be scopes A, B and C.
The client then chooses to do an access token refresh with only scope B. A new refresh token is returned, and an access token with reduced scopes.
The client should still be able to do a new refresh, with the new refresh token, for scopes A, B and C again, since nothing has changed about the delegation.
Upvotes: 1
Related Questions
- Overriding Doorkeeper refresh token response
- JWT use refresh Token as access Token
- How to use JWT as refresh tokens with Doorkeeper?
- JWT refresh token. Can it be self contained?
- Doorkeeper Refresh Tokens Not Expiring on Reuse
- Using both access and refresh tokens for refreshing them
- How to use refresh tokens in jwt authentication
- 401 Unauthorized -- Invalid grant when requesting refresh token in Doorkeeper
- How to request fresh token using Oauth2
- Doorkeeper refresh token and concurrency