As I read back through this one I’m not getting why you need a new refresh token. What am I missing? -T
On Mon, Nov 26, 2012 at 6:27 PM, Brian Eaton <bea...@google.com> wrote: > On Fri, Nov 23, 2012 at 4:43 AM, Bob Gregory <pathoge...@gmail.com> wrote: > >> We've had OAuth2 running successfully for a while now, but we're finding >> that mobile applications have frequent problems with the refresh flow where >> a refresh request is made, but the network connection fails before the new >> AT/RT pair is received, leading to a "lost grant". >> >> In server-logs we can see that the token has been refreshed, and a new RT >> issued, but the client is stuck with the old invalidated RT. >> >> This problem has been reported by two separate client applications, both >> of whom are using a retry-mechanism for API requests since they expect an >> unreliable network connection. >> >> Does anybody have any guidance on this issue, or is there any work in an >> extension to address the issue of lost grants for token refreshes? >> > > Have you considered not revoking the old RT until the new RT has been > successfully used? > > You might also need to consider what happens with requests that are > in-flight at the time the old RT is revoked. For example: > > 1) client starts token exchange, hangs for some reason. > 2) client starts token exchange, succeeds, receives new refresh token > 3) client uses new refresh token > 4) request 1 completes > > That could all happen in the space of a second or two. So you might want > to think about not revoking the old token until you see the new refresh > token used and a bit of time has passed. > > Cheers, > Brian > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
