Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

If the blacklist app is enabled mark rotated refresh tokens as outstanding #519

Closed
wants to merge 2 commits into from
Closed

If the blacklist app is enabled mark rotated refresh tokens as outstanding #519

wants to merge 2 commits into from

Conversation

vainu-arto
Copy link
Contributor

@vainu-arto vainu-arto commented Jan 26, 2022
edited
Loading

The token blacklisting itself works without this (the OutstandingToken
object will be created when adding a token to the blacklist), but the list
of outstanding tokens would very quickly get out of date in the presence of
refresh token rotation, and be unusable for any other purpose (for example
being able to tell which users have valid outstanding tokens).

Fixes #363 and #25

Andrew-Chen-Wang
Andrew-Chen-Wang requested changes Jan 29, 2022
View reviewed changes
Copy link
Member

@Andrew-Chen-Wang Andrew-Chen-Wang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm confused what this is trying to do; can you clarify? Are you just abstracting code?

@aaronn
Copy link

aaronn commented Jun 8, 2023

Just came across this because I believe I have the same issue. When a token is initially created, it is added to the OutstandingToken table. However, when that same token is refreshed, the new refresh token isn't added to the new OutstandingToken table, causing it to then be rejected when there is an attempt to use it to refresh.

Is that right @vainu-arto?

@vainu-arto
Copy link
Contributor Author

Just came across this because I believe I have the same issue. When a token is initially created, it is added to the OutstandingToken table. However, when that same token is refreshed, the new refresh token isn't added to the new OutstandingToken table, causing it to then be rejected when there is an attempt to use it to refresh.

In my case refreshing tokens succeeds. At least the version of this lib I'm running doesn't require that the token exists in OutstandingToken before allowing it to be refreshed.

vainu-arto and others added 2 commits June 9, 2023 07:46
@vainu-arto
If the token blacklist is enabled mark rotated refresh tokens as outs…
f6b318e 
…tanding

The token blacklisting itself works without this (the OutstandingToken
object will be created when adding a token to the blacklist), but the list
of outstanding tokens would very quickly get out of date in the presence of
refresh token rotation, and be unusable for any other purpose (for example
being able to tell which users have valid outstanding tokens).
@pre-commit-ci @vainu-arto
[pre-commit.ci] auto fixes from pre-commit.com hooks
77ffaca 
for more information, see https://pre-commit.ci
@vainu-arto vainu-arto force-pushed the create-outstanding-token-for-rotated-refresh-token branch from a79b9de to 77ffaca Compare June 9, 2023 04:47
@vainu-arto
Copy link
Contributor Author

@Andrew-Chen-Wang The fix (without the tests) was already applied as #866, should we just close this PR?

@Andrew-Chen-Wang
Copy link
Member

seems fixed from recent pr

@vainu-arto vainu-arto closed this Feb 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Andrew-Chen-Wang Andrew-Chen-Wang Andrew-Chen-Wang requested changes

Assignees
No one assigned
Labels
needs investigation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OustandingToken only created when refresh token is used to get a new key pair and not at creation ? Bug ?
3 participants
@vainu-arto @aaronn @Andrew-Chen-Wang