forked from jazzband/django-oauth-toolkit
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Refresh Token Reuse Protection (jazzband#1452)
* Implement REFRESH_TOKEN_REUSE_PROTECTION (jazzband#1404) According to https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-29#name-recommendations, the authorization server needs a way to determine which refresh tokens belong to the same session, so it is able to figure out which tokens to revoke. Therefore, this commit introduces a "token_family" field to the RefreshToken table. Whenever a revoked refresh token is reused, the auth server uses the token family to revoke all related tokens.
- Loading branch information
Showing
9 changed files
with
184 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
19 changes: 19 additions & 0 deletions
19
oauth2_provider/migrations/0011_refreshtoken_token_family.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# Generated by Django 5.2 on 2024-08-09 16:40 | ||
|
||
from django.db import migrations, models | ||
from oauth2_provider.settings import oauth2_settings | ||
|
||
class Migration(migrations.Migration): | ||
|
||
dependencies = [ | ||
('oauth2_provider', '0010_application_allowed_origins'), | ||
migrations.swappable_dependency(oauth2_settings.REFRESH_TOKEN_MODEL) | ||
] | ||
|
||
operations = [ | ||
migrations.AddField( | ||
model_name='refreshtoken', | ||
name='token_family', | ||
field=models.UUIDField(blank=True, editable=False, null=True), | ||
), | ||
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# Generated by Django 5.2 on 2024-08-09 16:40 | ||
|
||
from django.db import migrations, models | ||
from oauth2_provider.settings import oauth2_settings | ||
|
||
|
||
class Migration(migrations.Migration): | ||
|
||
dependencies = [ | ||
('tests', '0005_basetestapplication_allowed_origins_and_more'), | ||
migrations.swappable_dependency(oauth2_settings.REFRESH_TOKEN_MODEL) | ||
] | ||
|
||
operations = [ | ||
migrations.AddField( | ||
model_name='samplerefreshtoken', | ||
name='token_family', | ||
field=models.UUIDField(blank=True, editable=False, null=True), | ||
), | ||
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters