fix: Move refresh rotate check to refresh flow #2437
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add client_auth_method to access token always but allow refresh (without secret) only if token before was client_auth=none and client has rotate=true for refresh tokens
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/185805382 The labels on this github issue will be updated when the story is started. |
torsten-sap
approved these changes
Aug 17, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add client_auth_method to access token always but allow refresh (without secret) only if token before was client_auth=none and client has rotate=true for refresh tokens
Refactor feature from #2402
During dev/test of #2435 found that it is a bad idea to combine the setting at the begin with rotate. So the access_token should have client_auth_method=none always if there was no secret (or empty secret)
Later in refresh flow the check should be done if rotate=true and then allow refresh without secret