Keycloak Config - revoke refresh token #39
Assignees
Comments
|
This seems to have broken the Shopify app when enabled (despite previous discussion & it appreantly being coded to handle not reusing refresh tokens 😖 ). Given we're at QA, can't really deal with this atm, so I've turned it back off (Refresh tokens are once again not being revoked and can be reused, potentially by multiple clients). I'll put this back into To Do & we can discuss how to move forward on the next call (9/9). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We currently are not revoking refresh tokens, which means they can be reused multiple times (until a different token is used).
Recommended settings are to revoke immediately on first use.
Can we move to recommended settings ?
This has implications for platform behaviour - whether they reuse a stored token, or capture a new refresh token with every access token that is issued.
The text was updated successfully, but these errors were encountered: