-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request] Single Use Refresh Token/Refresh Token Writeback #1148
Comments
Internal tracking: W-13691799 |
We don't currently support single-use refresh tokens. We expect that tokens are long lived and can be used to refresh multiple access tokens until they expire. But I don't see that documented anywhere, so I will get that fixed. |
https://www.rfc-editor.org/rfc/rfc6749#section-10.4 suggests rotating refresh tokens and defending old refresh token reuse. MS implementation Securely delete the old refresh token after acquiring a new one How would I get a notification when this fix is deployed to the Tableau server/online/prep? @jkoskela |
Okay I will reopen so it can be tracked, but this isn't prioritized. According to the RFC "Authorization servers MAY issue refresh tokens to web application clients and native application clients." They only mentioned SHOULD where client authentication is not possible. This does not apply in this case, since we use client authentication. In the case of Microsoft "The Microsoft identity platform doesn't revoke old refresh tokens when used to fetch new access tokens." In the case of Okta single use refresh tokens are only the default for SPA, which we are not. We use Okta for federation for other connectors, and don't have an issue with this. We are aware that some IDP scenarios use single-use refresh token. We have run into this issue with other connectors already. We want to get to it but like I said before, it's not prioritized. |
Describe the bug
Relative issue: #1147
We added external/custom OAuth config support based on the doc tableau.github.io/connector-plugin-sdk/docs/oauth. It works in Tableau Desktop but not in Tableau Prep.
The problem is Tableau Prep uses an expired refresh token to call IDP (in this case, Galaxy). Please refer to attached file here:
token_requests.txt
Screenshots
Desktop (please complete the following information):
About you:
Name: Song Gao
Company: Starburst Data
The text was updated successfully, but these errors were encountered: