Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalidate refresh tokens by default for OAuth public clients #25845

Open
hickford opened this issue Jul 12, 2023 · 1 comment
Open

Invalidate refresh tokens by default for OAuth public clients #25845

hickford opened this issue Jul 12, 2023 · 1 comment
Labels
type/proposal The new feature has not been accepted yet but needs to be discussed first.

Comments

@hickford
Copy link
Contributor

hickford commented Jul 12, 2023
edited
Loading

Feature Description

Configuration option oauth2.INVALIDATE_REFRESH_TOKENS defaults to false. For public clients, refresh token invalidation should be the default following OAuth security best practice https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-22#name-refresh-tokens

Refresh tokens for public clients MUST be sender-constrained or use refresh token rotation

The configuration option would then apply only to confidential clients.

Screenshots

No response
@hickford hickford added the type/proposal The new feature has not been accepted yet but needs to be discussed first. label Jul 12, 2023
@hickford
Copy link
Contributor Author

hickford commented Jul 12, 2023
edited
Loading

Relevant code

gitea/routers/web/auth/oauth.go

Lines 149 to 156 in d1e066f

if setting.OAuth2.InvalidateRefreshTokens {
if err := grant.IncreaseCounter(ctx); err != nil {
return nil, &AccessTokenError{
ErrorCode: AccessTokenErrorCodeInvalidGrant,
ErrorDescription: "cannot increase the grant counter",
}
}
}

gitea/routers/web/auth/oauth.go

Lines 732 to 739 in d1e066f

// check if token got already used
if setting.OAuth2.InvalidateRefreshTokens && (grant.Counter != token.Counter || token.Counter == 0) {
handleAccessTokenError(ctx, AccessTokenError{
ErrorCode: AccessTokenErrorCodeUnauthorizedClient,
ErrorDescription: "token was already used",
})
log.Warn("A client tried to use a refresh token for grant_id = %d was used twice!", grant.ID)
return

@hickford hickford mentioned this issue Jun 21, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/proposal The new feature has not been accepted yet but needs to be discussed first.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hickford