Refresh Token gets revoked with Access Token in Laravel Passport

5
votes

I am using laravel/passport password_grant for authentication. The whole generating access_token and refresh_token process is working fine. Now I am trying to use laravel passport token events to revoke old tokens.

I referred to this post for the process - https://laracasts.com/discuss/channels/laravel/laravel-passport-revoke-and-prune-event-listener-is-not-doing-anything

This works... But when refreshing an access token using the previously provided refresh token, a new access token is being created and also a new refresh token being is created. Eventually, while revoking the old access token, the old, not expired refresh token also gets revoked.

But I think, the refresh token must be revoked only when it has expired.

And also when I remove the EventListeners from the App\Providers\EventServiceProvider $listen array, the revoking mechanism still works.

It's like even pulling out the plug the light bulb is still on.

How to solve this issue? Or am I wrong with the concept somewhere?

1
laravelauthenticationaccess-tokenlaravel-passportrefresh-token
from my understanding refresh tokens are linked to the access token, the refresh token is checked against the access token, if you don't have a valid access token linked to the refresh token how will the refresh token be checked against it?madalinivascu
Yeah, how are the events for revoking refresh tokens still firing even after I have removed the event listeners? Prior to registering the event listeners, everything was working as I wanted it to. @madalinivascubesrabasant
did you queueing you events?madalinivascu
No. @madalinivascubesrabasant
i am not familiar with laravel events , try doing a composer dumpuploadmadalinivascu

1 Answers

8
votes

But when refreshing an access token using the previously provided refresh token, a new access token is being created and also a new refresh token being is created.

That's basically what makes refresh tokens prevent MITM attacks (to some extent). If someone intercepts your communication and finds your access token, they can impersonate you for as long as it lives. But if they intercept your request to refreshing your tokens, only one of you (the user and the attacker) can use it because it's revoked once used. If you get to use it first, it becomes useless to them. If they use it first, you'll be logged out because your old tokens will be revoked. If they can intercept all your requests - and keep finding your new access tokens, you need to reconsider your security setup.

From RFC6749 section 1.5. Refresh Token under Figure 2: Refreshing an Expired Access Token:

(H) The authorization server authenticates the client and validates the refresh token, and if valid, issues a new access token (and, optionally, a new refresh token).