Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(oxauth): check race condition during refresh token removal #1909

Closed
yuriyz opened this issue Jul 11, 2024 · 3 comments
Closed

fix(oxauth): check race condition during refresh token removal #1909

yuriyz opened this issue Jul 11, 2024 · 3 comments
Assignees
@yuriyz

Comments

@yuriyz
Copy link
Contributor

yuriyz commented Jul 11, 2024
edited
Loading

Describe the issue

refresh_token can be used only one time. However if send concurrent calls AS allows re-using it multiple times.

Expected Behaviour: The refresh token cannot be reused

Actual behavior: During the concurrent call we have observed that we are able to reuse the same refresh token multiple times.

Refresh token should only be used once.

Support: 11874
@yuriyz yuriyz self-assigned this Jul 11, 2024
@nynymike
Copy link
Contributor

Is there a config param that controls whether refresh token rotation is optinal?

@yuriyz
Copy link
Contributor Author

yuriyz commented Jul 11, 2024

There is skipRefreshTokenDuringRefreshing boolean which indicates whether on rotation create new refresh_token or not.
If value is false then AS will create new refresh_token on refreshing. Lifetime of new refresh_token is set depending on refreshTokenExtendLifetimeOnRotation configuration property.

  • if true - new refresh_token gets full lifetime set via refreshTokenLifetime
  • if false lifetime is calculated by AS end is set to the lifetime of previous refresh_token (means it will end at the time when previous RT would expire)

yuriyz added a commit that referenced this issue Jul 31, 2024
@yuriyz
fix(oxauth): corrected race condition during refresh token usage (4.5.5)
dcaa88f 
#1909
@yuriyz yuriyz mentioned this issue Jul 31, 2024
Merged
yuriyz added a commit that referenced this issue Jul 31, 2024
@yuriyz
fix(oxauth): corrected race condition during refresh token usage (4.5…
f16d737 
….5) (#1914)

#1909
yuriyz added a commit that referenced this issue Jul 31, 2024
@yuriyz
fix(oxauth): corrected race condition during refresh token usage (4.5.5)
8f337db 
#1909
yuriyz added a commit that referenced this issue Jul 31, 2024
@yuriyz
fix(oxauth): corrected race condition during refresh token usage (4.5.6)
97e99fe 
#1909
yuriyz added a commit that referenced this issue Jul 31, 2024
@yuriyz
fix(oxauth): simplified race condition fix for refresh token usage (4…
7c6d57c 
….5.6)

#1909
yuriyz added a commit that referenced this issue Jul 31, 2024
@yuriyz
fix(oxauth): simplified race condition fix for refresh token usage (v…
66144e6 
…ersion_4.5.5)

#1909
yuriyz added a commit that referenced this issue Jul 31, 2024
@yuriyz
fix(oxauth): simplified race condition fix for refresh token usage (v…
b8e674a 
…ersion_4.5.2.sp1)

#1909
@yuriyz
Copy link
Contributor Author

yuriyz commented Jul 31, 2024

Issue is fixed in master (4.5.6-SNAPSHOT). Backported to version_4.5.5 and version_4.5.2.sp1.

Artifacts are re-built.

@yuriyz yuriyz closed this as completed Jul 31, 2024
@yuriyz yuriyz mentioned this issue Jul 31, 2024
Closed
yuriyz added a commit to GluuFederation/gluu4 that referenced this issue Dec 17, 2024
@yuriyz
fix(oxauth): backport 4.5.4 - check race condition during refresh tok…
899d84a 
…en removal

GluuFederation/oxAuth#1909
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yuriyz yuriyz

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yuriyz @nynymike