Enable Automatic Reuse Detection in Doorkeeper - OAuth Access Tokens
Related to #363525 (closed)
Currently GitLab (via Doorkeeper) invalidates access tokens whenever a new token is requested via a refresh token. Similarly, once a refresh token is used it is also invalidated and a new refresh token is returned with the new access token.
However, GitLab does not currently support automatic refresh token reuse detection. That is, if a revoked refresh token is used any 'related' access and refresh tokens are not also revoked.
It appears Doorkeeper supports this feature automatically in the presence of a previous_refresh_token
column in the oauth_access_tokens
table. Documentation on this feature is pretty non-existent but see https://github.com/doorkeeper-gem/doorkeeper/blob/master/lib/generators/doorkeeper/templates/migration.rb.erb#L60-72.
Question: Will changing this behavior constitute a breaking change?