|
|
|
|
|
|
by as1mov
1080 days ago
|
|
|
> On brief reflection, while writing this comment, it seems like the only solution is to fall back to some other (long-lived) identity (from which the original OAuth token was derived). I have been working on an OAuth service provider for the past few months, ran into this scenario. We came up with a solution of not immediately expiring the refresh token after it's used but set its expiry to X seconds (<30s) in the future and put it in a leeway state. If another call with the same refresh token is received within the X seconds and the refresh token is in the leeway state, a new token pair is created. If the refresh token is used after X seconds, it's no longer valid and a new authorization has to be generated. Of course this isn't a foolproof solution, it has its own caveats but it's better than the alternative of forcing the user to go through the authorization process again or keeping the refresh token alive forever. |
|
|