Consider this scenario:
I have /token endpoint in my proxy where I send an external authorization code to a target backend to exchange for external access token 1 and external refresh token 1. Upon success, I store these tokens using the OAuthV2 policy.
I then call the /token endpoint again to use the refresh token to obtain access token 2.
Finally, I call a /revoke endpoint where we invalidate refresh token 1. This would also invalidate access token 1 BUT it does not revoke access token 2.
My question is: Is there an existing Apigee policy/function that I can use to associate the newly generated access token 2 to refresh token 1? This way when I revoke the refresh token during the /revoke call I can revoke all associated access tokens?
Note that during refresh token exchange the grant_type will be 'refresh_token' instead of the grant_types Apigee supports for Refresh Token storage through OAuthV2 policy (authorization_code/password).
Solved! Go to Solution.
There is a ReuseRefreshToken element in the OAuthV2 policy, which you can apply in the case of Operation = RefreshAccessToken. This will allow you to re-use the fresh token for each new access token, until the refresh token expires.
If you use <ReuseRefreshToken>true</ReuseRefreshToken>
, be aware that OAuth experts consider the practice of re-using refresh tokens as insecure. The "Best Current Practice" document recommends that you get a new refresh token with each refresh, to minimize the exposure to replay attacks. Specifying <ReuseRefreshToken>false</ReuseRefreshToken>
will do that. You can alternatively omit this configuration element from the policy; false is the default.
There is a ReuseRefreshToken element in the OAuthV2 policy, which you can apply in the case of Operation = RefreshAccessToken. This will allow you to re-use the fresh token for each new access token, until the refresh token expires.
If you use <ReuseRefreshToken>true</ReuseRefreshToken>
, be aware that OAuth experts consider the practice of re-using refresh tokens as insecure. The "Best Current Practice" document recommends that you get a new refresh token with each refresh, to minimize the exposure to replay attacks. Specifying <ReuseRefreshToken>false</ReuseRefreshToken>
will do that. You can alternatively omit this configuration element from the policy; false is the default.