[Feature Request] Single Use Refresh Token/Refresh Token Writeback
xsgao-github opened this issue · comments
Describe the bug
Relative issue: #1147
We added external/custom OAuth config support based on the doc tableau.github.io/connector-plugin-sdk/docs/oauth. It works in Tableau Desktop but not in Tableau Prep.
The problem is Tableau Prep uses an expired refresh token to call IDP (in this case, Galaxy). Please refer to attached file here:
Screenshots
Desktop (please complete the following information):
- OS: Windows
- Tableau Version: 2023.2
About you:
Name: Song Gao
Company: Starburst Data
Internal tracking: W-13691799
We don't currently support single-use refresh tokens. We expect that tokens are long lived and can be used to refresh multiple access tokens until they expire. But I don't see that documented anywhere, so I will get that fixed.
https://www.rfc-editor.org/rfc/rfc6749#section-10.4 suggests rotating refresh tokens and defending old refresh token reuse.
MS implementation Securely delete the old refresh token after acquiring a new one
How would I get a notification when this fix is deployed to the Tableau server/online/prep? @jkoskela
Okay I will reopen so it can be tracked, but this isn't prioritized.
According to the RFC "Authorization servers MAY issue refresh tokens to web application clients and native application clients." They only mentioned SHOULD where client authentication is not possible. This does not apply in this case, since we use client authentication.
In the case of Microsoft "The Microsoft identity platform doesn't revoke old refresh tokens when used to fetch new access tokens."
In the case of Okta single use refresh tokens are only the default for SPA, which we are not. We use Okta for federation for other connectors, and don't have an issue with this.
We are aware that some IDP scenarios use single-use refresh token. We have run into this issue with other connectors already. We want to get to it but like I said before, it's not prioritized.