Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

consent: Revokes consent sessions of a subject for a specific OAuth 2.0 Client safely #1951

Closed
sawadashota opened this issue Jul 16, 2020 · 0 comments · Fixed by #1952
Closed

consent: Revokes consent sessions of a subject for a specific OAuth 2.0 Client safely #1951

sawadashota opened this issue Jul 16, 2020 · 0 comments · Fixed by #1952

Comments

@sawadashota
Copy link
Contributor

Is your feature request related to a problem? Please describe.

About DELETE /oauth2/auth/sessions/consent
https://www.ory.sh/hydra/docs/reference/api/#revokes-consent-sessions-of-a-subject-for-a-specific-oauth-20-client

A consent session revocation API is capable for a specific OAuth 2.0 Client or all clients.
I feel scare because all consent sessions of a subject will be revoked if client URL parameter is forgotten or typo.

Describe the solution you'd like

It should revoke all consent sessions of a subject only if it's requested explicitly.
Then I propose 2 ideas

  • When client parameter's value is all, revokes it
  • Divide endpoint for a specific client and for all clients
    • ex. DELETE /oauth2/auth/sessions/consent/all?subject=string
@sawadashota sawadashota mentioned this issue Jul 16, 2020
Merged
5 tasks
aeneasr pushed a commit that referenced this issue Jul 31, 2020
@sawadashota
feat: revoke consent sessions of a subject only if explicitly request…
fb925cf 
…ed (#1952)

This patch adds query parameter `all` to `/oauth2/auth/sessions/consent`. If `all=true`, then all consent sessions of a certain subject will be revoked.

BREAKING CHANGE: Previously, '/oauth2/auth/sessions/consent?subject=foo@bar.com' would revoke all consent sessions of that user. This may be problematic in cases where the caller forgot to specify the client ID as all tokens for that user are revoked. To prevent that, a "failsave" `all=true` is now required to make this explicit: '/oauth2/auth/sessions/consent?subject=foo@bar.com&all=true'.

Closes #1951
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Revokes all consent sessions of a subject only if explicitly requested sawadashota/hydra
1 participant
@sawadashota