Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth2AuthorizationCodeAuthenticationProvider should not issue refresh token to public client #296

Closed
jgrandja opened this issue May 20, 2021 · 0 comments
Closed

OAuth2AuthorizationCodeAuthenticationProvider should not issue refresh token to public client #296

jgrandja opened this issue May 20, 2021 · 0 comments
Assignees
@sjohnr
Labels
type: bug A general bug
Milestone
0.2.0

Comments

@jgrandja
Copy link
Collaborator

jgrandja commented May 20, 2021
edited
Loading

The current implementation of OAuth2AuthorizationCodeAuthenticationProvider will issue a refresh token to a public client (authenticated via PKCE). This should not be allowed as there are a number of inherent risks with public clients and issuing a refresh token increases the risk to another level.

However, this capability may be introduced at a later point by implementing best practices outlined in OAuth 2.0 for Browser-Based Apps.

Related gh-297
@jgrandja jgrandja added the type: bug A general bug label May 20, 2021
@jgrandja jgrandja added this to the 0.1.2 milestone May 20, 2021
@jgrandja jgrandja changed the title OAuth2AuthorizationCodeAuthenticationProvider should not issue refresh token to public clients OAuth2AuthorizationCodeAuthenticationProvider should not issue refresh token to public client May 20, 2021
@jgrandja jgrandja mentioned this issue May 20, 2021
Closed
@jgrandja jgrandja modified the milestones: 0.1.2, 0.2.0 Jul 8, 2021
@jgrandja jgrandja mentioned this issue Jul 23, 2021
Closed
sjohnr added a commit to sjohnr/spring-authorization-server that referenced this issue Jul 28, 2021
@sjohnr
Do not issue refresh token to public client
b077e5c 
Closes spring-projectsgh-296
@sjohnr sjohnr mentioned this issue Jul 28, 2021
Closed
sjohnr added a commit to sjohnr/spring-authorization-server that referenced this issue Jul 29, 2021
@sjohnr
Do not issue refresh token to public client
a1eff55 
Closes spring-projectsgh-296
doba16 pushed a commit to doba16/spring-authorization-server that referenced this issue Apr 21, 2023
@sjohnr @jgrandja
Do not issue refresh token to public client
c5fcbbd 
Closes spring-projectsgh-296
@davidmarne-wf davidmarne-wf mentioned this issue Aug 10, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sjohnr sjohnr

Labels
type: bug A general bug
Projects
None yet
Milestone
0.2.0
Development

Successfully merging a pull request may close this issue.

Do not issue refresh token to public client sjohnr/spring-authorization-server
2 participants
@sjohnr @jgrandja