Invalidate refresh tokens by default for OAuth public clients #11208

Open
opened 2025-11-02 09:30:51 -06:00 by GiteaMirror · 1 comment
Owner

Originally created by @hickford on GitHub (Jul 12, 2023).

Feature Description

Configuration option oauth2.INVALIDATE_REFRESH_TOKENS defaults to false. For public clients, refresh token invalidation should be the default following OAuth security best practice https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-22#name-refresh-tokens

Refresh tokens for public clients MUST be sender-constrained or use refresh token rotation

The configuration option would then apply only to confidential clients.

Screenshots

No response

Originally created by @hickford on GitHub (Jul 12, 2023). ### Feature Description Configuration option [oauth2.INVALIDATE_REFRESH_TOKENS](https://docs.gitea.com/next/administration/config-cheat-sheet#oauth2-oauth2) defaults to false. For public clients, refresh token invalidation should be the default following OAuth security best practice https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-22#name-refresh-tokens > Refresh tokens for public clients MUST be sender-constrained or use refresh token rotation The configuration option would then apply only to confidential clients. ### Screenshots _No response_
GiteaMirror added the type/proposal label 2025-11-02 09:30:51 -06:00
Author
Owner
@hickford commented on GitHub (Jul 12, 2023): Relevant code https://github.com/go-gitea/gitea/blob/d1e066f5d6e1ba91f45118de835c3777eee0811f/routers/web/auth/oauth.go#L149-L156 https://github.com/go-gitea/gitea/blob/d1e066f5d6e1ba91f45118de835c3777eee0811f/routers/web/auth/oauth.go#L732-L739
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#11208