FR: Revoke all refresh tokens for a client

indigo-iam / iam

INDIGO Identity and Access Management Service

https://indigo-iam.github.io/

Other

101 stars 43 forks source link

FR: Revoke all refresh tokens for a client #577

Open hshort opened 1 year ago

hshort commented 1 year ago

Feature request :)

In the case of a security incident we would need to revoke all refresh tokens for a client.

Some users may wish to revoke access tokens as well (though revocation of access tokens is obviously up for debate...)

norealroots commented 1 year ago

Also useful should a client accidentally make way too many infinitely lived refresh tokens...

Definitely not from experience or anything.

federicaagostini commented 1 month ago

The "Disable client" feature included in v1.9.0 (https://github.com/indigo-iam/iam/pull/747) with the following impossibility to obtain access/refresh tokens should solve this issue. Please open it again if the PR does not satisfy this issue.

giacomini commented 1 month ago

We've discussed a bit internally and we re-open the issue, because suspending a client doesn't necessarily mean that all refresh tokens need to be revoked. The meaning of suspension can be discussed elsewhere (unless it coincides with this request), but what is the exact meaning of this FR? Are we talking about refresh tokens or more in general about consents? do we want to allow to revoke all RTs/consents or also to give the possibility to revoke a selection of them?

hshort commented 1 month ago

Hi - I agree the two things could be separate. This request (in my understanding) was to cover cases such as

A client secret is compromised
Refresh tokens are issued to the compromised client
We find out, change the client secret and secure the client
Any refresh tokens issued whilst the client was compromised should no longer be valid So what we might want is a way to revoke RTs in a particular time frame. Honestly I'm not sure how consents come into the picture. Is that any clearer? Thanks, Hannah