Different access grants return the same access token with reuse_access_token enabled

[pyromaniac]

Hello folks,

First of app thanks for a great gem and all your efforts!

Steps to reproduce

We have stumbled upon a problem in out system and not sure how to handle this correctly.

We are now on Doorkeeper 5.6.8 and have reuse_access_token enabled.

My issue is that if I receive 2 different access grants, and try to receive access tokens with them - I get the same access token.

Imagine that you have 2 developers that are working on the same OAuth client at the same time, on their local machines they each get an access grant using the consent screen and the authorize button, then they each try to get an access token with their respective grant token but they get the same one, so their flows now interdependent. If one refreshes their token, the second one will end up with a revoked token in hands.

https://www.example.com/oauth/authorize?client_id=CLIENT_ID&redirect_uri=urn:ietf:wg:oauth:2.0:oob&response_type=code

=> 9a953a61513ff907a72f11cb0a5199fc67c77fe244c81069f10439d1b44b3862

curl -X POST -d "client_id=CLIENT_ID&client_secret=CLIENT_SECRET&code=9a953a61513ff907a72f11cb0a5199fc67c77fe244c81069f10439d1b44b3862&grant_type=authorization_code&redirect_uri=urn:ietf:wg:oauth:2.0:oob" "https://www.example.com/oauth/token"

=> {"access_token":"e04a3044f4e80272580dc1a56b76fa60fa2e32dc4b3e6a39a58fbb3465e77980","token_type":"Bearer","expires_in":7200,"refresh_token":"b0bd59025a4a3ea1c908e49912e786d39d3902d889915ba2e523981feac50d7f","scope":"public","created_at":1708356984}

# the same query
curl -X POST -d "client_id=CLIENT_ID&client_secret=CLIENT_SECRET&code=9a953a61513ff907a72f11cb0a5199fc67c77fe244c81069f10439d1b44b3862&grant_type=authorization_code&redirect_uri=urn:ietf:wg:oauth:2.0:oob" "https://www.example.com/oauth/token"

=> {"access_token":"e04a3044f4e80272580dc1a56b76fa60fa2e32dc4b3e6a39a58fbb3465e77980","token_type":"Bearer","expires_in":7189,"refresh_token":"b0bd59025a4a3ea1c908e49912e786d39d3902d889915ba2e523981feac50d7f","scope":"public","created_at":1708356984}



https://www.example.com/oauth/authorize?client_id=CLIENT_ID&redirect_uri=urn:ietf:wg:oauth:2.0:oob&response_type=code

=> 7dce69b0c811fd33ca310e6c354f7f96dd1f4ab3dab18dbcd13129e21402a8a0

curl -X POST -d "client_id=CLIENT_ID&client_secret=CLIENT_SECRET&code=7dce69b0c811fd33ca310e6c354f7f96dd1f4ab3dab18dbcd13129e21402a8a0&grant_type=authorization_code&redirect_uri=urn:ietf:wg:oauth:2.0:oob" "https://www.example.com/oauth/token"

=> {"access_token":"e04a3044f4e80272580dc1a56b76fa60fa2e32dc4b3e6a39a58fbb3465e77980","token_type":"Bearer","expires_in":7137,"refresh_token":"b0bd59025a4a3ea1c908e49912e786d39d3902d889915ba2e523981feac50d7f","scope":"public","created_at":1708356984}

Do you have any other suggestion how to implement such a scenario the right way?

Thanks in advance!

Expected behavior

I would expect completely different branches of access tokens from every access grant, this will allow a simultaneous and concurrent work of multiple clients with the same application.

Actual behavior

reuse_access_token option affects different access grants

System configuration

Doorkeeper initializer:

# config/initializers/doorkeeper.rb
Doorkeeper.configure do
  reuse_access_token
end

Ruby version: 3.1.4