🚀 Feature: Refresh Tokens #304

New Issue

Closed

opened 2025-10-07 00:09:51 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2025-10-07 00:09:51 +03:00

Owner

Copy Link

Originally created by @savely-krasovsky on GitHub.

Originally assigned to: @kmendell on GitHub.

Feature description

OpenID Connect Refresh Tokens from the spec

Pitch

While I like Pocket ID a lot, I see that a lot of services/apps are actively trying to issue refresh tokens, but they can't since Pocket ID does not support them. Many SPA backends cannot issue cookie with own lifetime, but rather fully rely on access/refresh token mechanics, since they are basically advised to follow native applications best security practices. Source: https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-24.html#name-browser-based-oauth-20-clie

I can probably try to contribute this feature, but I am not sure the project is ready/want to accept it. Maybe this is a principled position to keep project as simple as possible.

Originally created by @savely-krasovsky on GitHub. Originally assigned to: @kmendell on GitHub. ### Feature description OpenID Connect Refresh Tokens from the spec ### Pitch While I like Pocket ID a lot, I see that a lot of services/apps are actively trying to issue refresh tokens, but they can't since Pocket ID does not support them. Many SPA backends cannot issue cookie with own lifetime, but rather fully rely on access/refresh token mechanics, since they are basically advised to follow native applications best security practices. Source: https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-24.html#name-browser-based-oauth-20-clie I can probably try to contribute this feature, but I am not sure the project is ready/want to accept it. Maybe this is a principled position to keep project as simple as possible.

OVERLORD added the feature label 2025-10-07 00:09:51 +03:00

OVERLORD closed this issue 2025-10-07 00:09:52 +03:00

OVERLORD commented 2025-10-07 00:09:53 +03:00

Author

Owner

Copy Link

@savely-krasovsky commented on GitHub:

Yep, I understand that refresh tokens are fully optional by spec, but they are largely used in the wild. I see that Passkeys are much easier way to authorize, but it's still not convenient when for example every OAuth2 Proxy-protected resource asks me literally every hour to authorize again.

@savely-krasovsky commented on GitHub: Yep, I understand that refresh tokens are fully optional by spec, but they are largely used in the wild. I see that Passkeys are much easier way to authorize, but it's still not convenient when for example every OAuth2 Proxy-protected resource asks me literally every hour to authorize again.

OVERLORD commented 2025-10-07 00:09:54 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

@stonith404 and i have talked about this from another issue (https://github.com/pocket-id/pocket-id/issues/250#issuecomment-2709808617). I think we were waiting on clarification for it. Though we will look into it more. It not a 'mandatory' item in the OIDC spec which if i had to guess is why it was not implemented. Ill see stonith has to say about it.

@kmendell commented on GitHub: @stonith404 and i have talked about this from another issue (https://github.com/pocket-id/pocket-id/issues/250#issuecomment-2709808617). I think we were waiting on clarification for it. Though we will look into it more. It not a 'mandatory' item in the OIDC spec which if i had to guess is why it was not implemented. Ill see stonith has to say about it.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

i18n_crowdin

breaking/v2

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label feature

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id#304