oauth2.dev

refresh_token

IETF

Registry Context

`refresh_token` indicates that the token submitted for revocation is a refresh token.

Technical Summary

RFC 7009 Section 2.1 defines `refresh_token` as a `token_type_hint` value for a refresh token as defined by RFC 6749 Section 1.5. RFC 7009 also includes it in the OAuth Token Type Hints registry's initial contents.

When Used

When a client includes `token_type_hint=refresh_token` in an OAuth 2.0 token revocation request.

Normative Requirements

Clients

MAY
1
  1. RFC 7009 - Section 2.1

    pass the `token_type_hint` parameter to help the authorization server optimize token lookup.

    Condition: when submitting a token revocation request

    Clients MAY pass this parameter in order to help the authorization server to optimize the token lookup.

Authorization servers

MUST
1
  1. RFC 7009 - Section 2.1

    extend its search across all supported token types.

    Condition: if it is unable to locate the token using the given hint

    If the server is unable to locate the token using the given hint, it MUST extend its search across all of its supported token types.

SHOULD
1
  1. RFC 7009 - Section 2.1

    invalidate all access tokens based on the same authorization grant.

    Condition: if the revoked token is a refresh token and the authorization server supports access-token revocation

    The authorization server SHOULD also invalidate all access tokens based on the same authorization grant.

MAY
1
  1. RFC 7009 - Section 2.1

    ignore the `token_type_hint` parameter.

    Condition: particularly if it can detect the token type automatically

    An authorization server MAY ignore this parameter, particularly if it is able to detect the token type automatically.

Implementations

MUST
1
  1. RFC 7009 - Section 2

    support the revocation of refresh tokens.

    Implementations MUST support the revocation of refresh tokens.

SHOULD
1
  1. RFC 7009 - Section 2

    support the revocation of access tokens.

    Implementations [...] SHOULD support the revocation of access tokens.

Validation Guidance

error

Verify that the implementation supports revocation of refresh tokens.

warning

Verify that omission of `token_type_hint` is accepted and that a supplied `refresh_token` hint is not required for successful refresh-token lookup.

error

Verify that an incorrect token type hint does not restrict lookup to the hinted type; the authorization server must search all supported token types if the hinted lookup fails.

warning

Verify that revoking a refresh token also invalidates access tokens based on the same authorization grant when the authorization server supports access-token revocation.

Security Notes

RFC 7009 - Section 2

The revocation endpoint location should be obtained from a trustworthy source because the endpoint handles security credentials.

Reference

Details

Entry Id
refresh_token
Hint Value
refresh_token
Change Controller
IETF
Reference
RFC7009