Introduce expiration on refresh tokens - an implementation proposal #288
Comments
|
@vjt refresh tokens get renewed too and get invalidated after single use. Token stealing not possible from my pov. |
|
@michaelstingl thanks. The stealing is indeed difficult, as that would require getting control of the state of an active client. Still, being refresh tokens valid forever, they pose some concern for our context, as our policies require users to re-authenticate periodically. What do you think? Thank you |
|
For more control, policies etc, better use OpenID Connect: Policies configured on your IdP are used to control not only the oC server, but also desktop & mobile clients behave according those policies. OpenID Connect also prepares you to migrate to the next generation ownCloud based on Golang microservice architecture: |
|
Ouch, that migration would not be straightforward at this time, but I understand one can be more focused on the upcoming technology rather than extending the current. Anyway - would a PR implementing what I describe be considered? Thank you! |
|
Greetings!
By reading the refresh token mapper code it seems to me that refresh tokens do not have an expiration time, as such they are potentially valid forever, as long as the underlying user is still active it its backend.
In some high-security contexts, users are requested to re-login periodically, to reduce the risk of token stealing.
What do you think of:
expires_attimestamp column on the refresh tokens tabletime() + $refresh_token_expiration_daysin theexpires_atrefreshTokenMapper#findByToken()is called, it wouldselect * from refreshtokens where token = ? and expires_at > NOW()cronjob todelete from refreshtokens where expires_at < NOW()Thank you!
The text was updated successfully, but these errors were encountered: