https://www.ory.sh/ logo
Powered by
c

cool-ghost-42678

04/20/2022, 8:10 AM
Hello everyone, I have a strange behaviour when I wan't to refresh my Access and ID tokens. Indeed, the refresh token request refresh my ID and access token (which is normal) and the refresh ! In fact the expiration of the refresh is refreshed so the token never expires. Here are some results of the 
oauth2/introspect
endpoint and my configuration. I have to add that the duration of tokens in the configuration file are only for testing and that we have the same behaviour with longer duration. hydra version: 1.10.2 First instrospect:
Copy code
{
    "active": true,
    "scope": "openid offline_access",
    "client_id": "4c7b757c-7c7e-41fc-a74c-744c61002e8d",
    "sub": "a4375067-3bba-4a71-b7ba-1360488ca91b",
    "exp": 1650441205, // 09:53:25
    "iat": 1650440724, // 09:45:24 
    "nbf": 1650440724,
    "aud": [],
    "iss": "https://<myawesomehydraurl>/« ,
    "token_type": "Bearer",
    "token_use": "refresh_token"
}
Second introspect:
Copy code
{
    "active": true,
    "scope": "openid offline_access",
    "client_id": "4c7b757c-7c7e-41fc-a74c-744c61002e8d",
    "sub": "a4375067-3bba-4a71-b7ba-1360488ca91b",
    "exp": 1650441508, // 09:58:28
    "iat": 1650441027, // 09:50:27
    "nbf": 1650441027,
    "aud": [],
    "iss": "https://<myawesomehydraurl>/",
    "token_type": "Bearer",
    "token_use": "refresh_token"
}
Here you can see that the refresh token should expire at 095325 but when our ID token expires and we refresh it, the second refresh token issued expires at 095828. And this go indefinitly. Hope that you can help me on this 🙂
hydra_testing_conf.yaml
h

happy-morning-85531

04/20/2022, 8:14 AM
I think this is known as Refresh Token Rotation and is used for security. Please correct me if im wrong, you can read more here https://auth0.com/docs/secure/tokens/refresh-tokens/refresh-token-rotation and here https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.13.2
c

cool-ghost-42678

04/20/2022, 8:32 AM
Thanks for your answer, it's seems to be that. I wonder if there is a way to deactivate or to set the duration of rotation ?
h

happy-morning-85531

04/20/2022, 8:38 AM
Rotation kicks in when you refresh your access token, hence also refreshing the refresh token. So the "duration" would be the expiry of the refresh token? Or did i misunderstand you. I couldnt find anything in the config in terms of deactivating the rotation functionality but i guess one could have a look through the source code and see if theres a flag
c

cool-ghost-42678

04/20/2022, 9:04 AM
So the thing is that you can't master the duration of a session because refresh token refresh themselves.
h

happy-morning-85531

04/20/2022, 9:26 AM
@User Any insights on this?
m

magnificent-energy-493

04/20/2022, 9:32 AM
Refresh and Access tokens are not sessions! You will not have an easy time using them like sessions. If you look for self-service first-party flows where you have control over session expiration and everything else you can imagine, check out Ory Kratos!
🙌 1
h

happy-morning-85531

04/20/2022, 9:33 AM
Thank you very much 🙇
c

cool-ghost-42678

04/20/2022, 1:00 PM
Okay I've miss understood the behaviour of token rotation, I'll work with that and it will fit my needs. Thanks or your advices @User @User
m

magnificent-energy-493

04/20/2022, 1:14 PM
Sure, feel free to reach out again if anything else is unclear
2 Views
Powered by