Drupal is a registered trademark of Dries Buytaert
Protected Pages 3.0.0 Major update available for module protected_pages (3.0.0). Commerce Core 3.3.8 Minor update available for module commerce (3.3.8). Search API HTML Element Filter 1.0.7 Minor update available for module search_api_html_element_filter (1.0.7). Layout Builder Reorder 2.0.1 Minor update available for module layout_builder_reorder (2.0.1). Ban 1.1.0 Minor update available for module ban (1.1.0). Field Formatter Range 2.0.0 Major update available for module field_formatter_range (2.0.0). Field Formatter Range 8.x-1.8 Minor update available for module field_formatter_range (8.x-1.8). UI Patterns (SDC in Drupal UI) 2.0.18 Minor update available for module ui_patterns (2.0.18). Search API Solr 4.3.11 Module search_api_solr updated after 14 months of inactivity (4.3.11). Provus Mega Menu Module provus_mega_menu crossed 1,000 active installs.

This module extends Simple OAuth to provide a configurable grace period for refresh token rotation. It prevents errors and improves user experience by allowing multiple simultaneous requests to refresh a token within a short timeframe to use the same refreshed token. This offers a balance between security and usability, similar to implementations in major authentication providers.

Extends the Simple OAuth module by implementing a configurable per-client grace period for the refresh token rotation.

What Problem Does This Solve?

The Simple OAuth module implements refresh token rotation by default. When multiple requests try to refresh tokens using the same refresh token, errors will be encountered due to the refresh token being rotated on the first request.

However in modern web applications there may be multiple independent requests trying to simultaneously refresh the expired token. Without a grace period, this leads to bad user experience and application errors.

Key Features

  • Configurable grace period (1-60 seconds) per OAuth2 client
  • Seamless integration with Simple OAuth module
  • Enterprise-grade solution similar to Auth0 and Okta implementations
  • Balanced approach to security and user experience

Example

A frontend application is configured to transparently refresh expired access tokens by using the refresh token grant.
A user comes back after some time and due to the nature of web applications, multiple requests are triggered simultaneously which leads to all of them trying to refresh the expired access token.
Normally, the first request would successfully get new tokens while the other ones would fail due to the refresh token being revoked.

With the enabled refresh token buffer, subsequent refresh attempts within the configured grace period will result in the same token from the first successful request.

This significantly improves the reliability and user experience of your Drupal-powered applications.

Security Note: While this module introduces a configurable grace period similar to major authentication providers like Auth0 and Okta, administrators should carefully consider their security requirements when setting the grace period length. The default value of 30 seconds provides a good balance between security and usability.

Activity

Total releases
1
First release
Jan 2025
Latest release
1 year ago
Releases (12 mo)
0 ▼ from 1
Maintenance
Dormant

Releases

Version Type Release date
1.1.1 Stable Jan 20, 2025