问题
In principle, should any existing OAuth 2.0 refresh tokens (for a given client/user combination) be revoked when a new refresh token is issued following a password grant authentication?
I can't find anything specific in the spec. Would it be legitimate to reissue the same refresh token for subsequent password logins?
回答1:
The OAuth Spec section-6 specifies that:
The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token. The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client. If a new refresh token is issued, the refresh token scope MUST be identical to that of the refresh token included by the client in the request.
So there is no requirement that you MUST issue a new refresh token and revoke the old one, however, for the same reason that access_tokens expire it would be a good idea to issue new ones. A compromised refresh_token would only be valid until the subsequent refresh. This would allow a developer to revoke the refresh token should it ever be leaked.
来源:https://stackoverflow.com/questions/29937597/should-old-oauth-2-0-refresh-tokens-be-revoked