Messages - Why is a refresh token needed if an authentication code is being used?
Issue #343
resolved
Why is a refresh token needed if an authorization code is being used? I thought the whole point of the authorization code was to get the refresh token so it never crosses the wire?
But, even more interestingly, OpenID negates the whole purpose of the refresh token!
PLEASE RE-READ THE PREVIOUS SENTENCE, IT’S IMPORTANT.
The whole point of the refresh token was to give the client a handle for the user that could be anonymized so that delegating a permission didn’t mean also giving up the user’s identity. But the whole @#$@ purpose of OpenID is to IDENTIFY THE USER!!! So in an OpenID context there should never be a need to have a refresh token. Instead we should be able to include the user’s identity directly into the call.
Comments (4)
-
-
-
assigned issue to
John Bradley
- changed status to open
-
assigned issue to
-
Connect is a profile of OAuth.
If the Authorization server is granting long term access to the client for the user info endpoint or other resources, using a refresh token that may be down scoped is preferred over granting access tokens that don't expire.
Access tokens should be short lived so that the protected resource can be stateless.
-
- changed status to resolved
Fix
#343Messages - Added Privacy consideration on Refresh token use and ref - Log in to comment
Reject.
These statements are false.
Purpose of refresh token is that unlike access token, it is only presented to the authorization server. Access token would be shown to any number of resources on the other hand. Thus, access token are more susceptible to the leakage. This is the reason to make the validity period of access token short and regain access token using long term refresh token.
Refresh token may act like PPID, but it is a side effect. The resource whose access was granted through refresh token may have nothing to do with a particular user (entity). It is not identifying a user. It is identifying the resource access grant.
Also, OpenID on the other hand identifies an entity, but this "identify" may be using PPID, or even transaction ID per refresh token.