fosite icon indicating copy to clipboard operation
fosite copied to clipboard
verified publisher icon ory

feat: revoke refresh token on request only

Open vivshankar opened this issue 2 years ago • 4 comments

The OAuth 2.0 Token Revocation specification (RFC7009) indicates that the authorization server can choose to only revoke refresh tokens if the token in the request is a refresh token in the authorization grant.

This change gives an option to not revoke the refresh token if the token in the request is an access token.

Related Issue or Design Document

N/A

Checklist

  • [x] I have read the contributing guidelines and signed the CLA.
  • [x] I have referenced an issue containing the design document if my change introduces a new feature.
  • [x] I have read the security policy.
  • [x] I confirm that this pull request does not address a security vulnerability. If this pull request addresses a security vulnerability, I confirm that I got approval (please contact [email protected]) from the maintainers to push the changes.
  • [x] I have added tests that prove my fix is effective or that my feature works.
  • [x] I have added the necessary documentation within the code base (if appropriate).

Further comments

N/A

vivshankar avatar Aug 31 '23 06:08 vivshankar

@aeneasr Do you mind taking a look at this? It's a fairly simple change and has no compatibility impact.

vivshankar avatar Nov 17 '23 02:11 vivshankar

Sorry, I lack the time to look into PRs in fosite at the moment. This looks good to me, but it would be even better if there was a small test for this!

aeneasr avatar Feb 07 '24 16:02 aeneasr

@aeneasr @mitar Added tests

vivshankar avatar Feb 17 '24 07:02 vivshankar

Thanks!

mitar avatar Feb 27 '24 19:02 mitar