https://www.ory.sh/ logo
#contributors
Title
# contributors
w

worried-dress-75686

10/21/2021, 7:08 PM
Hello, my team and I have run into issues with the one-time-use nature of
refresh_token
and after looking at various issues in GitHub it appears we are not alone. I've started a fork of both
fosite
and
hydra
to introduce a configuration variable to disable one-time use refresh tokens and would like to get a first pass of my changes. Draft PR here
l

limited-tent-11422

10/24/2021, 6:53 PM
Official name for this feature is Refresh Token Rotation as per https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.13.2. Having it off is kinda dangerous for public clients, but I see how it can be useful. I would probably go for
oauth2.refresh_token_rotation.enabled
. This is also something I would consider making per-client.
w

worried-dress-75686

10/26/2021, 6:59 PM
Great idea! Thank you - it's been changed.
6 Views