Skip to content

feat: graceful refresh token rotation#3860

Merged
aeneasr merged 8 commits intomasterfrom
refresh-token-expiration-window-2
Oct 21, 2024
Merged

feat: graceful refresh token rotation#3860
aeneasr merged 8 commits intomasterfrom
refresh-token-expiration-window-2

Conversation

@aeneasr
Copy link
Copy Markdown
Member

@aeneasr aeneasr commented Oct 14, 2024

Related issue(s)

Closes #3770

Checklist

  • I have read the contributing guidelines.
  • I have referenced an issue containing the design document if my change
    introduces a new feature.
  • I am following the
    contributing code guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security vulnerability, I
    confirm that I got the approval (please contact
    [email protected]) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

Further Comments

@aeneasr aeneasr requested review from alnr and hperl as code owners October 14, 2024 08:49
@aeneasr aeneasr force-pushed the refresh-token-expiration-window-2 branch 3 times, most recently from e8ebba8 to fea96ff Compare October 14, 2024 09:37
@aeneasr aeneasr added the feat New feature or request. label Oct 15, 2024
@aeneasr aeneasr changed the title Refresh token expiration window 2 feat: graceful refresh token rotation Oct 15, 2024
@aeneasr aeneasr force-pushed the refresh-token-expiration-window-2 branch from db1b1fd to 9d66008 Compare October 15, 2024 07:37
@bill-robbins-ss @aeneasr
feat: graceful refresh token rotation
3d7414e 
This patch adds a configuration flag which enables graceful refresh token rotation. Previously, refresh tokens could only be used once. On reuse, all tokens of that chain would be revoked.

This is particularly challenging in environments, where it's difficult to make guarantees on synchronization. This could lead to refresh tokens being sent twice due to some parallel execution.

To resolve this, refresh tokens can now be graceful by changing `oauth2.grant.refresh_token.grace_period=10s` (example value). During this time, a refresh token can be used multiple times to generate new refresh, ID, and access tokens.

All tokens will correctly be invalidated, when the refresh token is re-used after the grace period expires, or when the delete consent endpoint is used.

Closes #1831 #3770
@aeneasr aeneasr force-pushed the refresh-token-expiration-window-2 branch from 9d66008 to 3d7414e Compare October 15, 2024 07:37
zepatrik
zepatrik requested changes Oct 15, 2024
View reviewed changes
@zepatrik
Copy link
Copy Markdown
Member

zepatrik commented Oct 15, 2024

From the original PR:

Shouldn't we also ensure that when a new refresh token is issued the grand parent refresh token is revoked and also all the "brother" refresh tokens are revoked?

@aeneasr
Copy link
Copy Markdown
Member Author

aeneasr commented Oct 17, 2024

From the original PR:

Shouldn't we also ensure that when a new refresh token is issued the grand parent refresh token is revoked and also all the "brother" refresh tokens are revoked?

I think we test this here: https://github.com/ory/hydra/pull/3860/files#diff-6d883efffdabd9715dc9872121018df30a5843c81e25dc6c4af2c3edc13fb21cR442

@aeneasr
Copy link
Copy Markdown
Member Author

aeneasr commented Oct 18, 2024

@zepatrik can you please approve if you're fine with the state as it is?

@aeneasr
Copy link
Copy Markdown
Member Author

aeneasr commented Oct 18, 2024

I have added a test case that revokes the consent session and checks that all tokens are correctly invalidated. Tests pass :)

@aeneasr aeneasr merged commit e278b40 into master Oct 21, 2024
@aeneasr aeneasr deleted the refresh-token-expiration-window-2 branch October 21, 2024 09:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zepatrik zepatrik zepatrik approved these changes

@hperl hperl Awaiting requested review from hperl

@alnr alnr Awaiting requested review from alnr

Assignees

@aeneasr aeneasr

Labels

feat New feature or request.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aeneasr @zepatrik @bill-robbins-ss