Created
February 24, 2018 02:22
-
-
Save frsyuki/9321ef47da7ceaca16a13e6180f2884c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Example: | |
* (00:01:01): Initial state: client stores access_token=a01 and refresh_token=r01. | |
API DB access_tokens table is as following: | |
| access_token | refresh_token | previous_refresh_token | expires_in | created_at | revoked_at | | |
| a01 | r01 | | 3605 | 00:00:01 | | | |
* (00:02:02): Client refreshes token using refresh_token=r01. | |
It gets access_token=a02 and refresh_token=r02. | |
API DB access_tokens table becomes as following: | |
| access_token | refresh_token | previous_refresh_token | expires_in | created_at | revoked_at | | |
| a01 | r01 | | 3605 | 00:01:01 | 00:02:02 | <- revoked but not expired | |
| a02 | r02 | r01 | 3605 | 00:02:02 | | | |
* (00:03:03): Client process 1 refreshes token using refresh_token=r02. | |
It gets access_token=a03 and refresh_token=r03. | |
API DB access_tokens table becomes as following: | |
| access_token | refresh_token | previous_refresh_token | expires_in | created_at | revoked_at | | |
| a01 | r01 | | 3605 | 00:01:01 | 00:02:02 | <- revoked and expired | |
| a02 | r02 | r01 | 3605 | 00:02:02 | 00:03:03 | <- revoked but not expired | |
| a03 | r03 | r02 | 3605 | 00:03:03 | | | |
* (00:03:04): Client process 2 refreshes token using refresh_token=r02. | |
It gets access_token=a03 and refresh_token=r03 again!!! | |
API returns a03 & r03 again because a row with previous_refresh_token=r02 exists (a03 & r03) and | |
it's still not expired although revoked_at is set. | |
(we need an index (unique index) on previous_refresh_token column). | |
API DB access_tokens table doesn't change. | |
| access_token | refresh_token | previous_refresh_token | expires_in | created_at | revoked_at | | |
| a01 | r01 | | 3605 | 00:01:01 | 00:02:02 | <- revoked and expired | |
| a02 | r02 | r01 | 3605 | 00:02:02 | 00:03:03 | <- revoked but not expired | |
| a03 | r03 | r02 | 3605 | 00:03:03 | | | |
* (00:04:04): Client refreshes token using refresh_token=r03. | |
It gets access_token=a04 and refresh_token=r04. | |
API DB access_tokens table becomes as following: | |
| access_token | refresh_token | previous_refresh_token | expires_in | created_at | revoked_at | | |
| a01 | r01 | | 3605 | 00:01:01 | 00:02:02 | <- revoked and expired | |
| a02 | r02 | r01 | 3605 | 00:02:02 | 00:03:03 | <- revoked and expired | |
| a03 | r03 | r02 | 3605 | 00:03:03 | 00:04:04 | <- revoked but not expired | |
| a04 | r04 | r03 | 3605 | 00:04:04 | | | |
* How to revoke a refresh token explicitly? => Delete the row instead of setting revoked_at. | |
* How to revoke an access token explicitly? => Set revoked_at. "Revoked but not expired" state is applicable only to refresh_token. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment