DrDaveD
commented
7 months ago Probably the thing to do is to delete the refresh token. That will probably require adding the "delete" capability to the policies in htvault-config.
Open DrDaveD opened 1 year ago
DrDaveD
commented
7 months ago Probably the thing to do is to delete the refresh token. That will probably require adding the "delete" capability to the policies in htvault-config.
DrDaveD
commented
7 months ago Adding the "delete" capability is required to remove the refresh token. Note that does more than destroying the bearer token, however; it requires going through oidc authentication again.
It would be nice if htdestroytoken would force getting a new bearer token, but because vault caches the bearer token in a different plugin than the ones used to create vault tokens, that is not always the case. Since htgettoken doesn't know what the default minsecs is, it doesn't have an easy way to force getting a new bearer token when a new vault token is retrieved (unless it was via oidc authentication which also updates the refresh token). It may require a change to the protocol with the puppetlabs vault plugin.