Comments (10)
There is nothing on this in the spec as far as I'm aware but I don't think there needs to be. Once a client has an access token, why would they go through the process again?
from oauth2-server.
There is nothing on this in the spec as far as I'm aware but I don't think there needs to be. Once a client has an access token, why would they go through the process again?
If they logged in on another computer. We are building a Desktop App and its very common for the same account to be used on multiple workstations.
from oauth2-server.
@ctadlock tihs is refresh token rotation.
from oauth2-server.
@ctadlock tihs is refresh token rotation.
Thanks. Its related, but not exact.
To simplify my question.. is it OK for the same user/client pair to have multiple unexpired and unrevoken access and refresh tokens?
Im using a modified version of Laravel Passport and it even has code to check to see if a valid token exists, but it only uses it to bypass the authorization step. It then gets handed off to this package which always issues new tokens without regard to any existing active tokens.
from oauth2-server.
is it OK for the same user/client pair to have multiple unexpired and unrevoken access and refresh tokens?
No, it isn`t. There are some considerations not to do so.
You can use multiple token pairs to organize multiple user sessions but tokens must be renewed.
from oauth2-server.
That is what happens if you use this library with Laravel Passport. Its not clear to me if the fix would be in this library or Passport. It would seem to me given the code link I put in my first post that it should be in this library. Im not at a level of expertise to know yet, nor submit a PR to resolve it.
Here is the result from my system with the same user (account_id) being authorized to the same client (application_id) on two devices.
from oauth2-server.
If this is for a desktop app I think that app should ensure stored credentials are tied to the logged in user in much the same way as other desktop apps do. Is this not possible?
from oauth2-server.
If this is for a desktop app I think that app should ensure stored credentials are tied to the logged in user in much the same way as other desktop apps do. Is this not possible?
Many of the desktop apps I use use OAuth; GitKraken...
from oauth2-server.
Do they all definitely have shared credentials though? If I logged into your machine would Git Kraken allow me to have access to all your repos?
from oauth2-server.
Closing this as I think it is something your app needs to handle rather than this library
from oauth2-server.
Related Issues (20)
- Custom unique identifier generator HOT 1
- Bump league/uri to ^7.0 (psr/http-message:^2.0 related) HOT 4
- Documentation: AuthCode grant redirect_uri must match authorization request
- RefreshTokenGrant requires client_secret also for non-confidential clients HOT 3
- how to validate client when exchanging auth code for access token HOT 1
- Class "League\Uri\UriString" not found HOT 8
- Google warning - Deceptive site ahead HOT 8
- Implict grant for OIDC not supported HOT 1
- Why setUserIdentifier, not setUser? HOT 9
- Test Refresh Token Fails on Google Home Test Suite HOT 2
- Possibility of using different encryptor for shortening auth code HOT 2
- Does anyone know if this library is vulnerable to this hack? HOT 1
- Support league/event v3 HOT 4
- League/Oauth2-Server Key Exposure In Exception Message HOT 2
- AccessTokenTrait::__toString gives different result each call HOT 1
- Wrong Type in DocBlock 3rd param `AbstractGrant::issueAccessToken` HOT 1
- AuthCodeGrant applies wrong validation rules on code_challenge HOT 4
- 2FA HOT 1
- Support for PHP 8.3 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauth2-server.