-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
It is not possible to revoke refresh token bound to the expired access token #1671
Comments
Moreover, introspection of such a refresh token (bound to an expired access token) will respond with a misleading |
I think this is because the refresh tokens aren't actually I think what you're seeing with the revoke endpoint is that in order to not disclose that the token did exist, it's always return 200, regardless of whether or not a token was revoked. |
imo this is a bug. The Taking a step back, the point of revocation is to remove further usages. It's a serious flaw if tokens cannot be revoked b/c of expiration but can be refreshed. It's kinda silly to workaround by refreshing for a new token in order to revoke. |
A copy of #1579 but with a focus on refresh tokens.
Steps to reproduce
Request to revoke a refresh token bound to the expired access token.
Expected behavior
The refresh token is revoked and can not be used to get a new access token.
Actual behavior
The refresh token is not revoked and can be used to get a new access token.
System configuration
Doorkeeper initializer:
Ruby version:
3.1.4
Gemfile.lock:
Gemfile.lock content
Reproduction tests
RSpec test to show the issue (simplified):
The text was updated successfully, but these errors were encountered: