-
-
Notifications
You must be signed in to change notification settings - Fork 762
Configurable token revocation policy #3178
Comments
that's a good idea. We don't have the resource right now to implement that. But I will add this as a todo. |
Perfect! |
@loftum have you implemented this? |
@dariusdamalakas No, not in IdentityServer's repo. There is, however, a way to get around it, without altering any IdentityServer code (and which also is pretty upgrade-friendly): By using
where You would have to write your own https://github.com/IdentityServer/IdentityServer3/blob/master/source/Core/Validation/ClientSecretValidator.cs, and probably a method for hashing keys, as in |
Feel free to start PR where we can discuss the changes you want to make. |
I have finally created a PR: #3322 |
Token revocation spec RFC 7009 section 2.1 says
Depending on the authorization server's revocation policy, the
revocation of a particular token may cause the revocation of related
tokens and the underlying authorization grant. If the particular
token is a refresh token and the authorization server supports the
revocation of access tokens, then the authorization server SHOULD
also invalidate all access tokens based on the same authorization
grant (see Implementation Note). If the token passed to the request
is an access token, the server MAY revoke the respective refresh
token as well.
Currently the revocation policy is as follows:
RevocationEndpointController will do 1 of 2, based on token_type_hint:
token_type_hint = access_token:
Deletes 1 TokenHandle (access token). This will only work for clients which use AccessTokenType.Reference. If the client uses AccessTokenType.Jwt, nothing happens.
token_type_hint = refresh_token:
Deletes all TokenHandles and RefreshTokens for the specified clientId and subjectId.
Let's say we have a client which uses AccessTokenType.Jwt and offline_access with sliding RefreshToken expiration.
A user might be logged in on 2 different devices (same clientId), A and B. When the user logs out from A, we might want to revoke A's refresh token - but not the refresh token used by B - although they have the same clientId and subjectId.
This is currently not possible.
Feature request:
Make token revocation policy customizable in some way:
The latter could be done by moving RevokeAccessTokenAsync(string handle, Client client) and RevokeRefreshTokenAsync(string handle, Client client) from RevocationEndpointController to ITokenRevocationService. And perhaps also pass along token_type_hint.
The text was updated successfully, but these errors were encountered: