Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introspect API does not honour token revocation #120

Open
ThorodanBrom opened this issue Dec 15, 2021 · 1 comment
Open

Introspect API does not honour token revocation #120

ThorodanBrom opened this issue Dec 15, 2021 · 1 comment

Comments

@ThorodanBrom
Copy link
Collaborator

The introspect API does not know about revoked tokens. If a revoked token is introspected, it would return the decoded token successfully. If this is to be changed:

  • revoke token API needs to update a column/table in the DB
    • need to store for each server? This complicates things
  • introspect API needs to check the table after decode
    • again, if stored for each server, will need to check aud field + userId
@ThorodanBrom
Copy link
Collaborator Author

ThorodanBrom commented Feb 4, 2022
edited
Loading

If the solution is implemented, it would solve another problem.
In the case where a server does not respond to a token revocation, or responds incorrectly:

  • /token/revoke will end with an error saying tokens were not revoked. This isn't ideal.
  • client secret regeneration ignores the failure and carries on

Implementing the table that contains user + server + timestamp can allow us to expose an API that can perhaps be called by servers in the cases when they experienced downtimes or were offline and could not respond to revocation requests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ThorodanBrom