feat: allow for permanent refresh_token(s) with config

cmd/server/handler.go

@@ -147,6 +147,7 @@ func RunServeAll(cmd *cobra.Command, args []string) {
 	d.PrometheusManager().RegisterRouter(admin.Router)
 	d.PrometheusManager().RegisterRouter(public.Router)
 
+
 	var wg sync.WaitGroup
 	wg.Add(2)
 
@@ -186,6 +187,8 @@ func setup(d driver.Registry, cmd *cobra.Command) (admin *x.RouterAdmin, public
 		}
 	}
 
+	d.Config().Validate()
+
 	adminmw = negroni.New()
 	publicmw = negroni.New()
 

driver/config/provider.go

@@ -65,6 +65,7 @@ const (
 	KeyOAuth2LegacyErrors                        = "oauth2.include_legacy_error_fields"
 	KeyExcludeNotBeforeClaim                     = "oauth2.exclude_not_before_claim"
 	KeyAllowedTopLevelClaims                     = "oauth2.allowed_top_level_claims"
+	KeyEnableRefreshTokenRotation                = "oauth2.refresh_token_rotation.enabled"
 )
 
 const DSNMemory = "memory"
@@ -193,6 +194,10 @@ func (p *Provider) ExcludeNotBeforeClaim() bool {
 	return p.p.BoolF(KeyExcludeNotBeforeClaim, false)
 }
 
+func (p *Provider) EnableRefreshTokenRotation() bool {
+	return p.p.BoolF(KeyEnableRefreshTokenRotation, true)
+}
+
 func (p *Provider) DataSourcePlugin() string {
 	return p.p.String(KeyDSN)
 }
@@ -428,3 +433,15 @@ func (p *Provider) CGroupsV1AutoMaxProcsEnabled() bool {
 func (p *Provider) GrantAllClientCredentialsScopesPerDefault() bool {
 	return p.p.Bool(KeyGrantAllClientCredentialsScopesPerDefault)
 }
+
+// Validate validates the configuration contained within this provider
+func (p *Provider) Validate() {
+	if !p.EnableRefreshTokenRotation() {
+		refreshTokenLifespan := p.RefreshTokenLifespan()
+		if refreshTokenLifespan == 0 {
+			p.l.Fatalf("Disabling refresh token rotation (%s) must also set %s to -1",
+				KeyEnableRefreshTokenRotation,
+				KeyRefreshTokenLifespan)
+		}
+	}
+}

oauth2/handler.go

@@ -21,6 +21,7 @@
 package oauth2
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"html/template"
@@ -576,9 +577,14 @@ func (h *Handler) FlushHandler(w http.ResponseWriter, r *http.Request, _ httprou
 //       400: jsonError
 //       500: jsonError
 func (h *Handler) TokenHandler(w http.ResponseWriter, r *http.Request) {
+
 	var session = NewSessionWithCustomClaims("", h.c.AllowedTopLevelClaims())
 	var ctx = r.Context()
 
+	ctx = context.WithValue(ctx,
+		fosite.RefreshTokenRotationEnabledContextKey,
+		h.c.EnableRefreshTokenRotation())
+
 	accessRequest, err := h.r.OAuth2Provider().NewAccessRequest(ctx, r, session)
 
 	if err != nil {

spec/config.json

@@ -425,6 +425,7 @@
       "type": "string",
       "description": "Sets the data source name. This configures the backend where ORY Hydra persists data. If dsn is \"memory\", data will be written to memory and is lost when you restart this instance. ORY Hydra supports popular SQL databases. For more detailed configuration information go to: https://www.ory.sh/docs/hydra/dependencies-environment#sql"
     },
+
     "webfinger": {
       "type": "object",
       "additionalProperties": false,
@@ -867,6 +868,16 @@
               ]
             }
           }
+        },
+        "refresh_token_rotation": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean",
+              "description": "Configures refresh_token rotatation behavior. By default refresh tokens are rotated on use.",
+              "default": true
+            }
+          }
         }
       }
     },