Merge pull request #548 from uc-cdis/fix/refresh-tokens

fix(refresh): don't provide new refresh token when hitting token endp…
uc-cdis · Jan 29, 2019 · 5eb0364 · 5eb0364
2 parents acd7327 + df7e1a1
commit 5eb0364
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/fence/oidc/grants/refresh_token_grant.py b/fence/oidc/grants/refresh_token_grant.py
@@ -139,6 +139,17 @@ def create_token_response(self):
         token = self.generate_token(
             client, self.GRANT_TYPE, user=user, expires_in=expires_in, scope=scope
         )
+
+        # replace the newly generated refresh token with the one provided
+        # this prevents refreshing a refresh token in order to meet
+        # the security requirement that users must authenticate every
+        # 30 days
+        #
+        # TODO: this could be handled differently, we could track last authN
+        #       and still allow refreshing refresh tokens
+        if self.GRANT_TYPE == "refresh_token":
+            token["refresh_token"] = self.request.data.get("refresh_token", "")
+
         # TODO
         flask.current_app.logger.info("")