Skip to content
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.

AccessToken can be used past the AbsoluteRefreshTokenLifetime #3813

Open
GODoal opened this issue Aug 10, 2017 · 1 comment
Open

AccessToken can be used past the AbsoluteRefreshTokenLifetime #3813

GODoal opened this issue Aug 10, 2017 · 1 comment
Labels
feature request

Comments

@GODoal
Copy link

GODoal commented Aug 10, 2017

  • [X ] I read and understood how to enable logging

Question / Issue

I am not sure if the following observed behavior is expected or a bug; so please advise as you see fit.

Assuming the Client configuration shown in the log section below where:
AccessTokenLifetime=18000 (5 hours or T5 for simplicity)
AbsoluteRefreshTokenLifetime=28800 (8 hours or T8 for simplicity)
,and the following sequence of events:

  1. The refresh token is created at time T0 with expiration at T8
  2. We use the refresh token at T0 (for simplicity) to get an AccessToken
  3. The AccessToken expiration is set to T5 as expected
  4. At T5 a new AccessToken is requested and since we're still within the AbsoluteRefreshTokenLifetime T8 the client is granted the token request.

The problem is:
The new AccessToken (step 4) has an expiration of T10 which is greater than the AbsoluteRefreshTokenLifetime T8. Which means the Client is authorized to continue its' usual operation past the AbsoluteRefreshTokenLifetime deadline (two hours if you're counting).

Relevant parts of the log file

                 new Client
                {
                    ClientId = "STRINGHERE",
                    ClientName = "Client Name",
                    ClientSecrets = new List<Secret>
                    {
                        new Secret("".Sha256())
                    },
                    RequireConsent = false,
                    Flow = Flows.ResourceOwner,
                    PrefixClientClaims = false,
                    AlwaysSendClientClaims = true,
                    AllowedScopes = new List<string>
                    {
                        "api",
                        StandardScopes.OfflineAccess.Name
                    },
                    AccessTokenLifetime = 18000,
                    RefreshTokenUsage = TokenUsage.ReUse,
                    RefreshTokenExpiration = TokenExpiration.Absolute,
                    AbsoluteRefreshTokenLifetime = 28800
                },
@brockallen
Copy link
Member

Interesting discovery.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brockallen @GODoal