Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Example:
* (00:01:01): Initial state: client stores access_token=a01 and refresh_token=r01.
API DB access_tokens table is as following:
| access_token | refresh_token | previous_refresh_token | expires_in | created_at | revoked_at |
| a01 | r01 | | 3605 | 00:00:01 | |
* (00:02:02): Client refreshes token using refresh_token=r01.
It gets access_token=a02 and refresh_token=r02.
API DB access_tokens table becomes as following:
| access_token | refresh_token | previous_refresh_token | expires_in | created_at | revoked_at |
| a01 | r01 | | 3605 | 00:01:01 | 00:02:02 | <- revoked but not expired
| a02 | r02 | r01 | 3605 | 00:02:02 | |
* (00:03:03): Client process 1 refreshes token using refresh_token=r02.
It gets access_token=a03 and refresh_token=r03.
API DB access_tokens table becomes as following:
| access_token | refresh_token | previous_refresh_token | expires_in | created_at | revoked_at |
| a01 | r01 | | 3605 | 00:01:01 | 00:02:02 | <- revoked and expired
| a02 | r02 | r01 | 3605 | 00:02:02 | 00:03:03 | <- revoked but not expired
| a03 | r03 | r02 | 3605 | 00:03:03 | |
* (00:03:04): Client process 2 refreshes token using refresh_token=r02.
It gets access_token=a03 and refresh_token=r03 again!!!
API returns a03 & r03 again because a row with previous_refresh_token=r02 exists (a03 & r03) and
it's still not expired although revoked_at is set.
(we need an index (unique index) on previous_refresh_token column).
API DB access_tokens table doesn't change.
| access_token | refresh_token | previous_refresh_token | expires_in | created_at | revoked_at |
| a01 | r01 | | 3605 | 00:01:01 | 00:02:02 | <- revoked and expired
| a02 | r02 | r01 | 3605 | 00:02:02 | 00:03:03 | <- revoked but not expired
| a03 | r03 | r02 | 3605 | 00:03:03 | |
* (00:04:04): Client refreshes token using refresh_token=r03.
It gets access_token=a04 and refresh_token=r04.
API DB access_tokens table becomes as following:
| access_token | refresh_token | previous_refresh_token | expires_in | created_at | revoked_at |
| a01 | r01 | | 3605 | 00:01:01 | 00:02:02 | <- revoked and expired
| a02 | r02 | r01 | 3605 | 00:02:02 | 00:03:03 | <- revoked and expired
| a03 | r03 | r02 | 3605 | 00:03:03 | 00:04:04 | <- revoked but not expired
| a04 | r04 | r03 | 3605 | 00:04:04 | |
* How to revoke a refresh token explicitly? => Delete the row instead of setting revoked_at.
* How to revoke an access token explicitly? => Set revoked_at. "Revoked but not expired" state is applicable only to refresh_token.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment