Is there a Grace Period for One Use Refresh Tokens?
-
About 'one use' refresh tokens, how do they work with concurrency? If I fire two requests in parallel from my SPA with an expired id token (ie often), won't the request processed last fail because the refresh token has been invalidated by its one time use in the first request? Or other nasty race condition?
My question then is: do you make provision for a 'grace period' whereby refresh tokens are still accepted if they were invalidated very very recently? I don't see a config for that, but maybe you use some sort of sane default.
thanks!
-
I have not heard of such a race condition. To confirm, are you seeing this behavior currently in your SPA?
Thanks,
Josh -
Hey @joshua,
the problem is widely reported in association with a number of causes (concurrency, multiple tabs, network jitter). In my case, it's concurrency. the SPA makes bursts of calls to fetch data in parallel and would hit the issue along the lines I described in my original post.
I could do some form of synchronization in the RP and ensure concurrent requests are kept waiting until your Token endpoint returns a new refresh token. But this is heavy-handed and genuinely problematic if the RP is replicated.
A grace period for older tokens seems the easier solution to me.
auth0
has aRenew interval
to cope with this (https://auth0.com/docs/security/tokens/refresh-tokens/configure-refresh-token-rotation#configure-in-the-dashboard).Okta
has aGrace Period
(https://developer.okta.com/docs/guides/refresh-tokens/refresh-token-rotation/#grace-period-for-token-rotation).Identity server
has a hook to implement something similar (https://identityserver4.readthedocs.io/en/latest/topics/refresh_tokens.html)So no, wasn't going to try token rotation until I'd heard your take on the issue in FA.
Keeping 'sliding tokens' for now, but would enjoy the extra security of token rotation. -
I am not aware of a solution for this within FusionAuth currently other than the workarounds that you have suggested.
As always, please feel empowered to log a feature request (https://github.com/FusionAuth/fusionauth-issues/issues/new/choose) to have this use case reviewed.
edit - looks like there is an open issue
https://github.com/FusionAuth/fusionauth-issues/issues/1361
and linking our roadmap -
https://fusionauth.io/docs/v1/tech/core-concepts/roadmap/
Thanks,
Josh
FusionAuth -
thanks @joshua,
1361 seems about client secret rotation, not refresh tokens.
But the implications seem the same to me: if you rotate - whatever you rotate - you have the problem above and the need of a grace period.
I think my question is answered anyway, will look forward to adopt refresh token rotation when it's safer to do that in the face of clients that use parallel requests.
cheers
f