marcv February 2016

Shouldn't the old access token be invalidated by a refresh call?

When I refresh an OAuth access token A, I get an new access token B. But A is still valid, I can still use it.

Shouldn't the old access token be invalidated by the refresh operation? If not, if it's "by design", could someone give me details about why?

Note: using Symfony with the FOSOAuthServerBundle bundle.

Answers


Spomky February 2016

The RFC6749 section 1.5 indicates that:

Refresh tokens are issued to the client by the authorization server and are used to obtain [...] additional access tokens with identical or narrower scope

As far as I understand, the access token A may be still valid when an access token B is issued with the refreh token.

Post Status

Asked in February 2016
Viewed 3,998 times
Voted 6
Answered 1 times

Search




Leave an answer