Skip to content

Token hashing feature (for refresh token) works correct only with refresh token rotation strategy

Used config

  plugin :rodauth, json: :only do
    enable :oauth_jwt, :oidc

    oauth_refresh_token_protection_policy "rotation"

    oauth_tokens_token_column :token_hash
    oauth_tokens_refresh_token_column :refresh_token_hash

    oauth_tokens_token_hash_column :token_hash
    oauth_tokens_refresh_token_hash_column :refresh_token_hash
  end

Root issue: In case when we want to enable token hashing for refresh token feature we need also enable rotation for refresh token, otherwise we can't use hashing for refresh token this feature

What will happened if refresh token rotation is disabled Explanation steps:

  1. Go to POST /token with grant_type "authorization_code" Response:
{
    "access_token": "some_token",
    "token_type": "bearer",
    "expires_in": 300,
    "refresh_token": "secure-random", # in our DB it saved like sha256(secure-random)
    "id_token": "some token"
}
  1. We want to refresh our tokens and go to POST /token with grant_type "refresh_tokens"
{
    "access_token": "some_token",
    "token_type": "bearer",
    "expires_in": 300,
    "refresh_token": "sha256(secure-random)", # in our DB it saved like sha256(secure-random)
    "id_token": "some token"
}
  1. In next request on refresh tokens we send refresh_token value which already hashed and server return invalid grant

But, after enabling rotation it works fine because token regenerated and return value without sha256 😄