Return current valid access token instead of new access token when refresh

0
votes

I'm implementing oauth2 authorization server.

When consuming oauth2 exchange refresh token to access token (rfc6749), my client - a mobile app having trouble in implementing interceptor (because of many reason).

As before that my client perform token exchange flow (rfc8693) and the access token is stored in database, so I decide to return CURRENT access token (ONLY if it's still valid) instead of issuing a new access token every time receiving refresh token.

The lifetime of access token is short (about 5 minutes) and user can revoke both access token and refresh token.

But this decision is against rfc6749, which state new access token:

The authorization server authenticates the client and validates the refresh token, and if valid, issues a new access token (and, optionally, a new refresh token)

I'm wondering if this decision could lead to any issues?

1
oauth-2.0access-tokeninterceptorrefresh-tokenrfc6749

1 Answers

1
votes

It is a spec violation in itself as you noted. The point of the spec is to do something useful on a refresh token request. In your case a refresh token request does not make any sense since the access token is not actually refreshed. So a better approach for your use case is to not make the client refresh the access token while it is still valid. However, the suggested approach does not lead to any issues other than a spec violation and possibly non-interoperability with some clients out there.