[MODAT-67] One-time use refresh tokens - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Story
Status: Closed (View Workflow)
Priority: P2
Resolution: Done
Affects Version/s: None
Fix Version/s: 3.0.0
Labels:

Template:
Sprint:
CP: R3 2022 roadmap
Story Points:
3
Development Team:
Core: Platform
Epic Link:
Refresh token rotation

Description

Overview

In order to minimize the impact of a leaked refresh token, they should be limited to one-time use. We should detect when a refresh token is attempted to be used more than once. When that happens, that refresh token, and all other refresh tokens associated with it should be revoked.

Approach

See the wiki for details

Acceptance Criteria

refresh tokens can only be used once
when a refresh token is used more than once, revoke the token and all associated refresh tokens

TestRail: Results

Attachments

Issue Links

is blocked by

MODAT-64 Enforce access token expiration

Closed

MODAT-109 Implement new token types

Closed

MODAT-110 Implement token persistent store

Closed

relates to

FOLIO-2556 SPIKE: investigate refresh tokens support in FOLIO

Closed

mentioned in: Page Loading...

Activity

People

Assignee:: Unassigned

Reporter:: Craig McNally

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 21/Apr/20 8:21 PM

Updated:: 03/Nov/22 8:26 PM

Resolved:: 28/Mar/22 5:07 PM

One-time use refresh tokens