Skip to content

Refreshed access token is inactive after token revocation #432

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ufkl opened this issue Sep 5, 2021 · 2 comments
Closed

Refreshed access token is inactive after token revocation #432

ufkl opened this issue Sep 5, 2021 · 2 comments
Assignees
@jgrandja
Labels
type: bug A general bug
Milestone
0.2.1

Comments

@ufkl
Copy link

ufkl commented Sep 5, 2021
edited
Loading

Describe the bug
After revoking access token, any new access token generated by exchanging refresh token is invalid.

Artifact: spring-security-oauth2-authorization-server
Version: 0.2.0

To Reproduce

  1. Initiate authorization code flow
  2. Exchange authorization code with access token & refresh token
  3. Invoke token invocation API using access token
  4. Generate new access token by exchanging refresh token
  5. Use new access token and calling APIs (via resource server)

The following is response gotten from resource server:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer error="invalid_token", error_description="Provided token isn't active", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"

Expected behavior
The new generated access token is useable

Potential Codes that caused the Issue

During token revocation, OAuth2TokenRevocationAuthenticationProvider leverage on OAuth2AuthenticationProviderUtils#invalidate to add OAuth2Authorization.Token.INVALIDATED_METADATA_NAME metadata on access token.

On OAuth2RefreshTokenAuthenticationProvider#authenticate method, line 237-250, we may want to re-initiate the OAuth2Authorization.Token.INVALIDATED_METADATA_NAME metadata to false, because OAuth2Authorization#token method does inherit/copy the metadata of existing access token when we generating new access token.

// @formatter:off
OAuth2Authorization.Builder authorizationBuilder = OAuth2Authorization.from(authorization)
		.token(accessToken,
				(metadata) ->
						metadata.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, jwtAccessToken.getClaims()))
		.refreshToken(currentRefreshToken);
if (idToken != null) {
	authorizationBuilder
			.token(idToken,
					(metadata) ->
							metadata.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, idToken.getClaims()));
}
authorization = authorizationBuilder.build();
// @formatter:on
@ufkl ufkl added the type: bug A general bug label Sep 5, 2021
@ufkl
Copy link
Author

ufkl commented Sep 6, 2021

Or maybe we should look at why we still allow to exchange refresh token for new access token?

@jgrandja jgrandja changed the title Any new access token generated is inactive after token revocation Refreshed access token is inactive after token revocation Sep 22, 2021
@jgrandja jgrandja self-assigned this Sep 22, 2021
@jgrandja jgrandja added this to the 0.2.1 milestone Sep 22, 2021
@jgrandja
Copy link
Collaborator

Thanks for the report @ufkl ! This is now fixed via e4ce97b.

doba16 pushed a commit to doba16/spring-authorization-server that referenced this issue Apr 21, 2023
@jgrandja
Access token is active after revoke then refresh
6371be8 
Closes spring-projectsgh-432
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
type: bug A general bug
Projects
None yet
Milestone
0.2.1
Development

No branches or pull requests
2 participants
@ufkl @jgrandja