Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: graceful refresh token rotation #3860

Merged
merged 8 commits into from
Oct 21, 2024
Merged

feat: graceful refresh token rotation #3860

merged 8 commits into from
Oct 21, 2024

Conversation

aeneasr
Copy link
Member

@aeneasr aeneasr commented Oct 14, 2024

Related issue(s)

Closes #3770

Checklist

  • I have read the contributing guidelines.
  • I have referenced an issue containing the design document if my change
    introduces a new feature.
  • I am following the
    contributing code guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security vulnerability, I
    confirm that I got the approval (please contact
    [email protected]) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

Further Comments

@aeneasr aeneasr force-pushed the refresh-token-expiration-window-2 branch 3 times, most recently from e8ebba8 to fea96ff Compare October 14, 2024 09:37
@aeneasr aeneasr added the feat New feature or request. label Oct 15, 2024
@aeneasr aeneasr changed the title Refresh token expiration window 2 feat: graceful refresh token rotation Oct 15, 2024
@aeneasr aeneasr force-pushed the refresh-token-expiration-window-2 branch from db1b1fd to 9d66008 Compare October 15, 2024 07:37
@bill-robbins-ss @aeneasr
feat: graceful refresh token rotation
3d7414e 
This patch adds a configuration flag which enables graceful refresh token rotation. Previously, refresh tokens could only be used once. On reuse, all tokens of that chain would be revoked.

This is particularly challenging in environments, where it's difficult to make guarantees on synchronization. This could lead to refresh tokens being sent twice due to some parallel execution.

To resolve this, refresh tokens can now be graceful by changing `oauth2.grant.refresh_token.grace_period=10s` (example value). During this time, a refresh token can be used multiple times to generate new refresh, ID, and access tokens.

All tokens will correctly be invalidated, when the refresh token is re-used after the grace period expires, or when the delete consent endpoint is used.

Closes #1831 #3770
@aeneasr aeneasr force-pushed the refresh-token-expiration-window-2 branch from 9d66008 to 3d7414e Compare October 15, 2024 07:37
zepatrik
zepatrik requested changes Oct 15, 2024
View reviewed changes
driver/config/provider.go Outdated Show resolved Hide resolved
internal/config/config.yaml Outdated Show resolved Hide resolved
oauth2/fosite_store_helpers.go Outdated Show resolved Hide resolved
persistence/sql/persister_oauth2.go Show resolved Hide resolved
persistence/sql/persister_oauth2.go Outdated Show resolved Hide resolved
@zepatrik
Copy link
Member

From the original PR:

Shouldn't we also ensure that when a new refresh token is issued the grand parent refresh token is revoked and also all the "brother" refresh tokens are revoked?

@aeneasr
Copy link
Member Author

aeneasr commented Oct 17, 2024

From the original PR:

Shouldn't we also ensure that when a new refresh token is issued the grand parent refresh token is revoked and also all the "brother" refresh tokens are revoked?

I think we test this here: https://github.com/ory/hydra/pull/3860/files#diff-6d883efffdabd9715dc9872121018df30a5843c81e25dc6c4af2c3edc13fb21cR442

@aeneasr
Copy link
Member Author

aeneasr commented Oct 18, 2024

@zepatrik can you please approve if you're fine with the state as it is?

@aeneasr
Copy link
Member Author

aeneasr commented Oct 18, 2024

I have added a test case that revokes the consent session and checks that all tokens are correctly invalidated. Tests pass :)

@aeneasr aeneasr merged commit e278b40 into master Oct 21, 2024
29 checks passed
@aeneasr aeneasr deleted the refresh-token-expiration-window-2 branch October 21, 2024 09:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zepatrik zepatrik zepatrik approved these changes

@hperl hperl Awaiting requested review from hperl hperl is a code owner

@alnr alnr Awaiting requested review from alnr alnr is a code owner

Assignees

@aeneasr aeneasr

Labels
feat New feature or request.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@aeneasr @zepatrik @bill-robbins-ss