generic: Invalid Refresh Token value stored after token refresh #2003
Description
Version
2.6.1+786ab03440ddc82e807a97c0e540f5247e44cec6
Operating system
Other - please describe below
OS version or distribution
All
Git hosting provider(s)
Other - please describe below
Other hosting provider
generic
(Azure DevOps only) What format is your remote URL?
None
Can you access the remote repository directly in the browser?
Yes, I can access the repository
Expected behavior
When access token expires, after token refresh using refresh token, we should store new Refresh Token value.
Actual behavior
When access token expires, after token refresh using refresh token, current (revoked) Refresh Token value is stored. See:
It the other words, Refresh Token can be used only once.
Code
// Try to use a refresh token if we have one
ICredential refreshToken = Context.CredentialStore.Get(refreshService, userName);
if (refreshToken != null)
{
try
{
var refreshResult = await client.GetTokenByRefreshTokenAsync(refreshToken.Password, CancellationToken.None);
// Store new refresh token if we have been given one
if (!string.IsNullOrWhiteSpace(refreshResult.RefreshToken))
{
Context.CredentialStore.AddOrUpdate(refreshService, refreshToken.Account, refreshToken.Password);
}
// Return the new access token
return new GitCredential(oauthUser,refreshResult.AccessToken);Context.CredentialStore.AddOrUpdate(refreshService, refreshToken.Account, refreshToken.Password);should be replaces with:
Context.CredentialStore.AddOrUpdate(refreshService, refreshToken.Account, refreshResult.RefreshToken);