Refresh Token implementation and RFC 6749

Question

Refresh Token implementation and RFC 6749

ewgRa opened this issue 5 years ago · 6 comments

As far as I see gin-jwt consider Access token as same as Refresh token.
When we login, in response we can find a token that later we can send to refresh endpoint.
Additionally, we have also MaxRefresh settings, that allows us to refresh token, even if it is expired.
As far as I understand this approach increases security risks. The idea of refresh token - get it once, hide it better than access token and use it only for auth purposes, but not for access to resources.

Here RFC that clarify flow: https://tools.ietf.org/html/rfc6749#section-1.4.

Question is: what is the reason that gin-gwt implement it like this? How about to follow RFC6749?

Answer 1 · 2020-06-20T12:00:13.000Z

Any update?

Answer 2 · 2020-11-03T13:40:52.000Z

Any update? it has been more then a year since the initial request for this feature

Answer 3 · 2021-04-17T15:02:51.000Z

For the same reason I have decided not to use it and implement my own. A shame.

Answer 4 · 2021-04-17T15:06:41.000Z

@appleboy would you consider merging a PR implementing this ? That would be a breaking change for v3.0 I guess.

Answer 5 · 2021-06-13T03:31:07.000Z

This issue makes this package non usable for me.

Answer 6 · 2024-03-07T20:18:02.000Z

You could also explicitly state that in the docs the refresh token isn't implemented as one would expect, which would make everything a lot clearer