Because in Roundcube we allow multiple concurrent http requests at the same time we end up with a race-condition that leads to a session breakage when refreshing OAuth token.
It is a know best practice in OAuth to rotate refresh tokens by revoking the old one and issuing a new one with each access token refresh. Consider two http requests at (almost) the same time:
- First request reads session (with oauth token)
- Second request reads session (with oauth token)
- First request refreshes the token and finishes (storing the new token in session)
- Second request attempts to refresh the token, but it will fail because the refresh token got revoked. Session will get killed.
How big of a problem it is depends on the token expiration time - how often the refresh happens, and how often users get into UIs that are more likely to use simultaneous requests.
Because in Roundcube we allow multiple concurrent http requests at the same time we end up with a race-condition that leads to a session breakage when refreshing OAuth token.
It is a know best practice in OAuth to rotate refresh tokens by revoking the old one and issuing a new one with each access token refresh. Consider two http requests at (almost) the same time:
How big of a problem it is depends on the token expiration time - how often the refresh happens, and how often users get into UIs that are more likely to use simultaneous requests.