Expected behavior for grant_management_action=replace
The following requirement in “6.5. Revoke Grant”
The AS MUST revoke the grant and all refresh tokens issued based on that particular grant, it SHOULD revoke all access tokens issued based on that particular grant.
requires authorization server implementations to track the relationship between a grant ID and refresh tokens. From the description, it is clear that the “grant revoke” request to the grant management endpoint will result in revoking all relevant refresh tokens.
On the other hand, the following description in “3.3. Replace the details of a grant”
In some scenarios, clients might choose to replace the grant with the new one while keeping the same grant id. Old privileges will be revoked and new privileges will be added if approved by the user. The client has to specify full details of the new request.
and the explanation about replace
in “5.2. Authorization Request“
replace
: this mode requires the client to specify a grant id using thegrant_id
paramter. If the parameter is present and the AS supports the grant management actionreplace
, the AS will change the grant to be ONLY the permissions requested by the client and consented by the user in the actual request.
are not so clear in terms of refresh token revocation.
A question raised here is as follows:
Which is the expected behavior for grant_management_action=replace
?
- Just break the relationship. The previously-referenced refresh tokens remain valid.
- Break the relationship and revoke the previously-referenced refresh tokens.
See also the attached image which illustrates the question visually.
Comments (5)
-
-
To me the question is whether the issuance of a new refresh token will invalidate any pre-existing refresh tokens based on the same grant. I would answer: yes!
-
Clarifying the behaviour here: https://bitbucket.org/openid/fapi/pull-requests/297
-
-
assigned issue to
-
assigned issue to
-
- changed status to resolved
Fixed
#454Merged in Dima-Postnikov/clarify-refresh-token-behaviour-on-repla-1638361353159 (pull request #297)Clarify refresh token behaviour on replace and update. Fixes https://bitbucket.org/openid/fapi/issues/454/expected-behavior-for
Approved-by: Torsten Lodderstedt Approved-by: Takahiko Kawasaki
→ <<cset 5550c6b70aea>>
- Log in to comment
Discussed on today’s call: the intent is to make sure that old tokens invalidated and cannot be used. They can either be revoked or token relationship with the grant needs to be broken.
So both scenarios should be ok?
What does everyone think?