FR: Revoke all refresh tokens for a client

[hshort]

Feature request :)

In the case of a security incident we would need to revoke all refresh tokens for a client.

Some users may wish to revoke access tokens as well (though revocation of access tokens is obviously up for debate...)

[norealroots]

Also useful should a client accidentally make way too many infinitely lived refresh tokens...

Definitely not from experience or anything.

[federicaagostini]

The "Disable client" feature included in v1.9.0 (#747) with the following impossibility to obtain access/refresh tokens should solve this issue. Please open it again if the PR does not satisfy this issue.

[giacomini]

We've discussed a bit internally and we re-open the issue, because suspending a client doesn't necessarily mean that all refresh tokens need to be revoked. The meaning of suspension can be discussed elsewhere (unless it coincides with this request), but what is the exact meaning of this FR? Are we talking about refresh tokens or more in general about consents? do we want to allow to revoke all RTs/consents or also to give the possibility to revoke a selection of them?

[hshort]

Hi - I agree the two things could be separate. This request (in my understanding) was to cover cases such as

• A client secret is compromised
• Refresh tokens are issued to the compromised client
• We find out, change the client secret and secure the client
• Any refresh tokens issued whilst the client was compromised should no longer be valid
  So what we might want is a way to revoke RTs in a particular time frame. Honestly I'm not sure how consents come into the picture.
  Is that any clearer?
  Thanks,
  Hannah