[OAuth2] Generate new refresh token when using a previous refresh-token

[Anders Olsen]

Hi everyone!

 

I am currently working on setting up CAS as the new SSO solution for our website.

In addition to a traditional website, we also have native apps for Android and (soon) iOS that uses OAuth2 to authenticate as they need to have offline capability and thus cannot use a regular session.

 

I have got most of the OAuth2 functionality to work, using this service definition:

 

{
  "@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
  "clientId": "XXX",
  "clientSecret": "XXXXX",
  "generateRefreshToken" : true,
  "jsonFormat" : true,
  "supported_grants" : ["password", "refresh_token"],
  "name" : "OAuth2 (Android)",
  "id" : 201801311512
}

 

(Client ID and Secret has been obfuscated..)

 

This also works fine to gain access tokens:

Using password:

{

    "access_token": "AT-1-82jDv1D3pkvex5C1UYjKreBdhhw5omzc",

    "token_type": "bearer",

    "expires_in": 28800,

    "refresh_token": "RT-1-so451CeJyePgl2RmXnefODw0nV9jTAgX"

}

 

Using refresh token:

 

{

    "access_token": "AT-2-7a6-eLsKlX9-jyYynqFjTqsneLE8WnlN",

    "token_type": "bearer",

    "expires_in": 28800

}

 

However, this means that when the refresh token expires, the user is totally shut out of CAS and has to re-login with his credentials.

I would like for the user to never have to login again after logging in the first time.

 

Our previous OAuth2 server is based on http://bshaffer.github.io/oauth2-server-php-docs/ and one of the settings there, under http://bshaffer.github.io/oauth2-server-php-docs/grant-types/refresh-token/  is a flag “always_issue_new_refresh_token” which is default false but can be set to true to give the user a new refresh token whenever the previous refresh token is used for creating a new access token.

 

Is there a setting or configuration in CAS that will enable the same behavior ?

 

Thank you for your time.

 

 

Regards,

Anders Olsen Softwareudvikler Software Developer		Tel +45 3328 3800
DOF / Birdlife Denmark | Vesterbrogade 140 | 1620 København V | www.dof.dk

 

[Misagh Moayyed]

There isn't, but you can design an expiration policy for the relevant tokens so they don't ever expire.

--Misagh

---

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3B91F9D1-39B8-4549-9AE7-5C4A4E946AF2%40dof.dk.

[Misagh Moayyed]

Sounds great, good for you. 

And yes, I'd certainly agree. A never-expiring RT or any token/ticket for that matter is generally a very bad idea. 

--Misagh

---

From: "Anders Olsen" <anders...@dof.dk>
To: "CAS Community" <cas-...@apereo.org>
Cc: "Misagh Moayyed" <mmoa...@unicon.net>
Sent: Thursday, February 1, 2018 7:40:42 AM
Subject: Re: [cas-user] [OAuth2] Generate new refresh token when using a previous refresh-token

Thank you for your answer.

I have a bit of a concern about making the refresh tokens never expiring, since that would increase the possibility of intercepting the refresh token.
I'll have a poke at the code and see if I can possible make a new flag in the properties that users can set, and then make a pull request.

Regards
Anders Olsen

 

---

This email has been scanned for spam and viruses by Proofpoint Essentials. Click here to report this email as spam.