oauth2-server-php icon indicating copy to clipboard operation
oauth2-server-php copied to clipboard
verified publisher icon bshaffer

Support for single use tokens

Open Faryshta opened this issue 7 years ago • 4 comments

There should be a way to configure the server or some special scope to kill the token after its used once regardless of whether or not the request was successful.

The use case would be for sensitive transactions like for example money transfer where an error from the user or the app client sending the same request twice can lead to lost of money.

the app client send a request with the single use token, then the oauth2 server kills the token so it can never be used. the transaction is processed maybe returning status 200 or 400, does not matter.

the app client or the end user screws up, clicks the submit button again or for whatever reason the same request is sent. the server gets the single use token which was already used and expired, halting the request.

Faryshta avatar Aug 10 '18 04:08 Faryshta

@bshaffer, any clue?

neverabe avatar Aug 11 '18 01:08 neverabe

Invalidate the token within the middleware right after the validation.(revoke token)

letsjustfixit avatar Sep 07 '18 20:09 letsjustfixit

@letsjustfixit how?

Faryshta avatar Sep 07 '18 21:09 Faryshta

@Faryshta https://github.com/bshaffer/oauth2-server-php/blob/master/src/OAuth2/Controller/TokenController.php#L294

letsjustfixit avatar Sep 07 '18 22:09 letsjustfixit