This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

OAuthV2 associating newly refreshed access tokens in Apigee token store

Posted on 07-21-2022 01:21 PM
chrisyanez
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Consider this scenario:

I have /token endpoint in my proxy where I send an external authorization code to a target backend to exchange for external access token 1 and external refresh token 1. Upon success, I store these tokens using the OAuthV2 policy.

I then call the /token endpoint again to use the refresh token to obtain access token 2.

Finally, I call a /revoke endpoint where we invalidate refresh token 1. This would also invalidate access token 1 BUT it does not revoke access token 2.

My question is: Is there an existing Apigee policy/function that I can use to associate the newly generated access token 2 to refresh token 1? This way when I revoke the refresh token during the /revoke call I can revoke all associated access tokens?

Note that during refresh token exchange the grant_type will be 'refresh_token' instead of the grant_types Apigee supports for Refresh Token storage through OAuthV2 policy (authorization_code/password).

Solved Solved
0 1 144
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

There is a ReuseRefreshToken element in the OAuthV2 policy, which you can apply in the case of Operation = RefreshAccessToken. This will allow you to re-use the fresh token for each new access token, until the refresh token expires.

If you use <ReuseRefreshToken>true</ReuseRefreshToken>, be aware that OAuth experts consider the practice of re-using refresh tokens as insecure. The "Best Current Practice" document recommends that you get a new refresh token with each refresh, to minimize the exposure to replay attacks. Specifying <ReuseRefreshToken>false</ReuseRefreshToken> will do that. You can alternatively omit this configuration element from the policy; false is the default.

View solution in original post

Jump to Solution
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

There is a ReuseRefreshToken element in the OAuthV2 policy, which you can apply in the case of Operation = RefreshAccessToken. This will allow you to re-use the fresh token for each new access token, until the refresh token expires.

If you use <ReuseRefreshToken>true</ReuseRefreshToken>, be aware that OAuth experts consider the practice of re-using refresh tokens as insecure. The "Best Current Practice" document recommends that you get a new refresh token with each refresh, to minimize the exposure to replay attacks. Specifying <ReuseRefreshToken>false</ReuseRefreshToken> will do that. You can alternatively omit this configuration element from the policy; false is the default.

Jump to Solution
0 Likes
Top Solution Authors
View all