Sounds great, good for you. And yes, I'd certainly agree. A never-expiring RT or any token/ticket for that matter is generally a very bad idea.
--Misagh > From: "Anders Olsen" <[email protected]> > To: "CAS Community" <[email protected]> > Cc: "Misagh Moayyed" <[email protected]> > Sent: Thursday, February 1, 2018 7:40:42 AM > Subject: Re: [cas-user] [OAuth2] Generate new refresh token when using a > previous refresh-token > Thank you for your answer. > I have a bit of a concern about making the refresh tokens never expiring, > since > that would increase the possibility of intercepting the refresh token. > I'll have a poke at the code and see if I can possible make a new flag in the > properties that users can set, and then make a pull request. > Regards > Anders Olsen > Den torsdag den 1. februar 2018 kl. 14.48.02 UTC+1 skrev Misagh Moayyed: >> There isn't, but you can design an expiration policy for the relevant tokens >> so >> they don't ever expire. >> --Misagh >>> From: "Anders Olsen" < [email protected] > >>> To: [email protected] >>> Sent: Thursday, February 1, 2018 4:06:54 AM >>> Subject: [cas-user] [OAuth2] Generate new refresh token when using a >>> previous >>> refresh-token >>> Hi everyone! >>> I am currently working on setting up CAS as the new SSO solution for our >>> website. >>> In addition to a traditional website, we also have native apps for Android >>> and >>> (soon) iOS that uses OAuth2 to authenticate as they need to have offline >>> capability and thus cannot use a regular session. >>> I have got most of the OAuth2 functionality to work, using this service >>> definition: >>> { >>> "@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService" , >>> "clientId" : "XXX" , >>> "clientSecret" : "XXXXX" , >>> "generateRefreshToken" : true , >>> "jsonFormat" : true , >>> "supported_grants" : [ "password" , "refresh_token" ] , >>> "name" : "OAuth2 (Android)" , >>> "id" : 201801311512 >>> } >>> (Client ID and Secret has been obfuscated..) >>> This also works fine to gain access tokens: >>> Using password: >>> { >>> "access_token": "AT-1-82jDv1D3pkvex5C1UYjKreBdhhw5omzc", >>> "token_type": "bearer", >>> "expires_in": 28800, >>> "refresh_token": "RT-1-so451CeJyePgl2RmXnefODw0nV9jTAgX" >>> } >>> Using refresh token: >>> { >>> "access_token": "AT-2-7a6-eLsKlX9-jyYynqFjTqsneLE8WnlN", >>> "token_type": "bearer", >>> "expires_in": 28800 >>> } >>> However, this means that when the refresh token expires, the user is totally >>> shut out of CAS and has to re-login with his credentials. >>> I would like for the user to never have to login again after logging in the >>> first time. >>> Our previous OAuth2 server is based on >>> http://bshaffer.github.io/oauth2-server-php-docs/ and one of the settings >>> there, under >>> http://bshaffer.github.io/oauth2-server-php-docs/grant-types/refresh-token/ >>> is >>> a flag “always_issue_new_refresh_token” which is default false but can be >>> set >>> to true to give the user a new refresh token whenever the previous refresh >>> token is used for creating a new access token. >>> Is there a setting or configuration in CAS that will enable the same >>> behavior ? >>> Thank you for your time. >>> Regards, >>> Anders Olsen >>> Softwareudvikler >>> Software Developer >>> Tel +45 3328 3800 >>> DOF / Birdlife Denmark | Vesterbrogade 140 | 1620 København V | www.dof.dk >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "CAS >>> Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email >>> to [email protected] . >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/3B91F9D1-39B8-4549-9AE7-5C4A4E946AF2%40dof.dk >>> . > This email has been scanned for spam and viruses by Proofpoint Essentials. > Click > here to report this email as spam. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/732350179.13665698.1517496482427.JavaMail.zimbra%40unicon.net.
