Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Single Use Refresh Token/Refresh Token Writeback #1148

Open
xsgao-github opened this issue Jun 27, 2023 · 4 comments
Open

[Feature Request] Single Use Refresh Token/Refresh Token Writeback #1148

xsgao-github opened this issue Jun 27, 2023 · 4 comments
Labels
enhancement New feature or request

Comments

@xsgao-github
Copy link

Describe the bug
Relative issue: #1147

We added external/custom OAuth config support based on the doc tableau.github.io/connector-plugin-sdk/docs/oauth. It works in Tableau Desktop but not in Tableau Prep.

The problem is Tableau Prep uses an expired refresh token to call IDP (in this case, Galaxy). Please refer to attached file here:

token_requests.txt

Screenshots
image

Desktop (please complete the following information):

  • OS: Windows
  • Tableau Version: 2023.2

About you:
Name: Song Gao
Company: Starburst Data
@xsgao-github xsgao-github changed the title [BUG] OAuth does not work in Tableau Prep [BUG] external/custom OAuth config does not work in Tableau Prep Jun 30, 2023
@lukewrites
Copy link
Member

Internal tracking: W-13691799

This was referenced Jul 15, 2023
Closed
Closed
@jkoskela
Copy link
Collaborator

We don't currently support single-use refresh tokens. We expect that tokens are long lived and can be used to refresh multiple access tokens until they expire. But I don't see that documented anywhere, so I will get that fixed.

@xsgao-github
Copy link
Author

https://www.rfc-editor.org/rfc/rfc6749#section-10.4 suggests rotating refresh tokens and defending old refresh token reuse.

MS implementation Securely delete the old refresh token after acquiring a new one

Okta As soon as the new tokens are issued, Okta invalidates the refresh token that was passed with the initial request to the /token endpoint

How would I get a notification when this fix is deployed to the Tableau server/online/prep? @jkoskela

@jkoskela
Copy link
Collaborator

jkoskela commented Jul 18, 2023
edited
Loading

Okay I will reopen so it can be tracked, but this isn't prioritized.

According to the RFC "Authorization servers MAY issue refresh tokens to web application clients and native application clients." They only mentioned SHOULD where client authentication is not possible. This does not apply in this case, since we use client authentication.

In the case of Microsoft "The Microsoft identity platform doesn't revoke old refresh tokens when used to fetch new access tokens."

In the case of Okta single use refresh tokens are only the default for SPA, which we are not. We use Okta for federation for other connectors, and don't have an issue with this.

We are aware that some IDP scenarios use single-use refresh token. We have run into this issue with other connectors already. We want to get to it but like I said before, it's not prioritized.

@jkoskela jkoskela reopened this Jul 24, 2023
@jkoskela jkoskela changed the title [BUG] external/custom OAuth config does not work in Tableau Prep [BUG] Single use refresh tokens don't work Jul 24, 2023
@jkoskela jkoskela changed the title [BUG] Single use refresh tokens don't work [Feature Request] Single use refresh tokens don't work Jul 24, 2023
@jkoskela jkoskela changed the title [Feature Request] Single use refresh tokens don't work [Feature Request] Single Use Refresh Token/Refresh Token Writeback Jul 24, 2023
@rosswbrown rosswbrown added the enhancement New feature or request label Jul 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jkoskela @lukewrites @rosswbrown @xsgao-github