Oct 11th, 2012, 11:39 AM
Multiple valid OAuth access tokens for same client
In DefaultTokenServices, I see that if a request for a token is made and a valid non-expired access token exists, the same access token is returned back. I was wondering if this is typically the way access tokens are issued. If I have the same user login from the same client using the same credentials, but on three different devices, say a mobile phone, a tablet and a desktop, does it make sense to give him the same access token for all the three authorization calls he makes from each device?
In general, can every authorization call to /oauth/token issue a new token, or should it always return an existing acces token if one such valid token exists? Is it ok to have a single client associated with multiple valid access/refresh tokens at any point of time?
Oct 12th, 2012, 09:24 AM
I guess it's debatable. Are the mobile, tablet and desktop really the same client?
Oct 12th, 2012, 05:58 PM
Well..I am trying to identify the client as an App. Assuming the same app can be run on the different platforms, I would think they wold be the same client.
Oct 13th, 2012, 04:09 AM
Makes sense. So do the devices send any kind of identifier when they authorize (a header or a query parameter)? They should - the user agent header if nothing else. If they do and you want different tokens for each one you just need to add that to the key used to store the token (there's a strategy called AuthenticationKeyGenerator).
Oct 14th, 2012, 10:32 PM
Ok. I guess if the devices send different ids, then different tokens can be generated for them.
I guess my underlying question was if there are scenarios where multiple access tokens may be active at a time? For example, if a user has a refresh token and makes two requests with it, does he always get the same access token(if the access token has not expired), or is he entitled to get a different access token. I have seen some cases where apps are allowed to proactively ask for access tokens even if not expired based on whether an access token is going to expire "soon". That may indicate that there could be multiple valid access tokens associated with a refresh token at a given time. Potentially, if you issue multiple access tokens, then a malicious user could simply fill up a backend store by requesting access tokens, couldn't it?
Oct 15th, 2012, 02:49 AM
The default behaviour of the DefaultTokenServices is to re-use existing tokens (based on the behaviour of the existing TokenStore implementations), so the attack you mention is probably not going to succeed. I don't think there is an option to force a new token to be generated, but clients can always use a refresh token to get a new one (I think, I'd have to check).
Oct 15th, 2012, 08:40 AM
I see that the default implementation does make sure that only a single access token is associated with a given refresh token. I guess you are saying that having multiple tokens may be allowed and it depends on the implementation. Thanks for the response.