RefreshTokenGrant: add option whether to revoke refreshed access tokens

[josiasmontag]

Currently, the RefreshTokenGrant immediately revokes an access token when it gets refreshed.

The RFC Section 6 makes no mention that this should happen.

The current behavior sometimes causes issues: Some clients assume the old access token is still valid because it has not reached its expiration date yet. Also, there are race conditions with simultaneous requests when one client refreshes the token and the other client still uses the old, non-expired token.

This PR adds an option revokeRefreshedAccessTokens to configure revoking old access token after refreshing. It defaults to true, wich is the current behaviour.

Also see #1347

[josiasmontag]

Some additional thoughts:
The current behaviour of revoking the access tokens might even be wrong according to the RFC. Section 1.5 says:

Refresh tokens are issued to the client by the authorization server and are
used to obtain a new access token when the current access token
becomes invalid or expires, or to obtain additional access tokens
with identical or narrower scope (access tokens may have a shorter
lifetime and fewer permissions than authorized by the resource
owner).

The current implementation does not allow to obtain additional access tokens as it revokes all previous ones.

[Sephster]

We already have a function for this called revokeRefreshTokens which can be set to true or false. We used to automatically revoke and appreciate this isn't following spec so added in a method to allow implementers to choose whether this is enforced or not.

The boolean should be set in the AuthServer class. Thank you for your PR though. I hope this functionality helps solve your problem.

[josiasmontag]

@Sephster I am aware of revokeRefreshTokens which is about revoking the old refresh token, it does not control whether the old access token is revoked. This PR is about adding a setting for revoking the previous access token. Please have a look at the relevant change here.

[Sephster]

Apologies I had missed this. Will reopen to review later. Thanks for clarifying.

[pat0s]

Is there any progress on clarifying this PR? @Sephster

[Sephster]

No not yet. All my efforts are on releasing v9 then this will be picked up along with others. Cheers

[hafezdivandari]

RFC7009 section 2.1:

If the particular token is a refresh token and the authorization server supports the revocation of access tokens, then the authorization server SHOULD also invalidate all access tokens based on the same authorization grant. If the token passed to the request is an access token, the server MAY revoke the respective refresh token as well.

It means:

• When revoking a refresh token, the access token SHOULD also be revoked.
• When revoking an access token, the refresh token MAY also be revoked.