-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FR: Revoke all refresh tokens for a client #577
Comments
Also useful should a client accidentally make way too many infinitely lived refresh tokens... Definitely not from experience or anything. |
The "Disable client" feature included in v1.9.0 (#747) with the following impossibility to obtain access/refresh tokens should solve this issue. Please open it again if the PR does not satisfy this issue. |
We've discussed a bit internally and we re-open the issue, because suspending a client doesn't necessarily mean that all refresh tokens need to be revoked. The meaning of suspension can be discussed elsewhere (unless it coincides with this request), but what is the exact meaning of this FR? Are we talking about refresh tokens or more in general about consents? do we want to allow to revoke all RTs/consents or also to give the possibility to revoke a selection of them? |
Hi - I agree the two things could be separate. This request (in my understanding) was to cover cases such as
|
Feature request :)
In the case of a security incident we would need to revoke all refresh tokens for a client.
Some users may wish to revoke access tokens as well (though revocation of access tokens is obviously up for debate...)
The text was updated successfully, but these errors were encountered: