FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login
    1. Home
    2. fabio.simeoni
    F
    • Profile
    • Following 0
    • Followers 0
    • Topics 1
    • Posts 3
    • Best 0
    • Controversial 0
    • Groups 0

    fabio.simeoni

    @fabio.simeoni

    0
    Reputation
    1
    Profile views
    3
    Posts
    0
    Followers
    0
    Following
    Joined Last Online
    fabio.simeoni Unfollow Follow

    Latest posts made by fabio.simeoni

    • RE: Is there a Grace Period for One Use Refresh Tokens?

      thanks @joshua,

      1361 seems about client secret rotation, not refresh tokens.

      But the implications seem the same to me: if you rotate - whatever you rotate - you have the problem above and the need of a grace period.

      I think my question is answered anyway, will look forward to adopt refresh token rotation when it's safer to do that in the face of clients that use parallel requests.

      cheers
      f

      posted in Q&A
      F
      fabio.simeoni
    • RE: Is there a Grace Period for One Use Refresh Tokens?

      Hey @joshua,

      the problem is widely reported in association with a number of causes (concurrency, multiple tabs, network jitter). In my case, it's concurrency. the SPA makes bursts of calls to fetch data in parallel and would hit the issue along the lines I described in my original post.

      I could do some form of synchronization in the RP and ensure concurrent requests are kept waiting until your Token endpoint returns a new refresh token. But this is heavy-handed and genuinely problematic if the RP is replicated.

      A grace period for older tokens seems the easier solution to me. auth0 has a Renew interval to cope with this (https://auth0.com/docs/security/tokens/refresh-tokens/configure-refresh-token-rotation#configure-in-the-dashboard). Okta has a Grace Period (https://developer.okta.com/docs/guides/refresh-tokens/refresh-token-rotation/#grace-period-for-token-rotation). Identity server has a hook to implement something similar (https://identityserver4.readthedocs.io/en/latest/topics/refresh_tokens.html)

      So no, wasn't going to try token rotation until I'd heard your take on the issue in FA.
      Keeping 'sliding tokens' for now, but would enjoy the extra security of token rotation.

      posted in Q&A
      F
      fabio.simeoni
    • Is there a Grace Period for One Use Refresh Tokens?

      About 'one use' refresh tokens, how do they work with concurrency? If I fire two requests in parallel from my SPA with an expired id token (ie often), won't the request processed last fail because the refresh token has been invalidated by its one time use in the first request? Or other nasty race condition?

      My question then is: do you make provision for a 'grace period' whereby refresh tokens are still accepted if they were invalidated very very recently? I don't see a config for that, but maybe you use some sort of sane default.

      thanks!

      posted in Q&A
      F
      fabio.simeoni