Solved: Does using the refresh token re-validate the user ...

LinkedIn · 04-19-2016 01:29 PM

When a refresh_token is used to obtain a new access_token, does Edge revalidate that the account still exists? I.e., can a user with a valid refresh_token get a new token even if their account has just been deleted?

gnanasekaran

When generating access token from the refresh token, only the validity of the refresh token is verified.

So in a ideal implementation - when user logs out or an account is deactivated - the corresponding access_token needs to be invalidated / revoked. This will take care of revoking the refreshtoken as well.

Alternatively, you could implement additional validation logic in your refreshtoken flow using callouts

View solution in original post

gnanasekaran

When generating access token from the refresh token, only the validity of the refresh token is verified.

So in a ideal implementation - when user logs out or an account is deactivated - the corresponding access_token needs to be invalidated / revoked. This will take care of revoking the refreshtoken as well.

Alternatively, you could implement additional validation logic in your refreshtoken flow using callouts

LinkedIn

I agree with @Mukundha Madhavan, but Apigee has a bug in the ideal implementation he has advised. When you use management API to revoke all the access tokens issued to a user, Apigee doesn't invalidate all the tokens even after 5 to 10 minutes ( As per Apigee it takes 5 to 10 minutes to revoke all the access tokens. Apigee support team has acknowledged the bug.

We reported this issue to Apigee 1.5 years back but they have not fixed it yet. Apigee seems to ignore all the major security risks.

Does using the refresh token re-validate the user account?