Skip to content
Projects
Groups
Snippets
Help
Loading...
Sign in
Toggle navigation
D
dex
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
go
dex
Commits
774242f7
Commit
774242f7
authored
Oct 17, 2016
by
Eric Chiang
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Documentation/proposals: added a caveats section to upstream refreshing proposal
parent
1e5133a9
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
18 additions
and
3 deletions
+18
-3
upstream-refreshing.md
Documentation/proposals/upstream-refreshing.md
+18
-3
No files found.
Documentation/proposals/upstream-refreshing.md
View file @
774242f7
...
...
@@ -2,12 +2,12 @@
## TL;DR
Today, if a user deletes their G
oogle
account, dex will keep allowing clients to
Today, if a user deletes their G
itHub
account, dex will keep allowing clients to
refresh tokens on that user's behalf because dex never checks back in with
G
oogle
.
G
itHub
.
This is a proposal to change the connector package so the dex can check back
in with G
oogle
.
in with G
itHub
.
## The problem
...
...
@@ -148,3 +148,18 @@ func (db passwordDB) Refresh(s connector.Scopes, identity connector.Identity) (c
return
identity
,
nil
}
```
## Caveats
Certain providers, such as Google, will only grant a single refresh token for each
client + end user pair. The second time one's requested, no refresh token is
returned. This means refresh tokens must be stored by dex as objects on an
upstream identity rather than part of a downstream refresh even.
Right now
`ConnectorData`
is too general for this since it is only stored with a
refresh token and can't be shared between sessions. This should be rethought in
combination with the
[
`user-object.md`
](
./user-object.md
)
proposal to see if
there are reasonable ways for us to do this.
This isn't a problem for providers like GitHub because they return the same
refresh token every time. We don't need to track a token per client.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment