Closed dbarrosop closed 1 year ago
@szilarddoro Is it possible to list and invalidate the tokens as well? I can't find any documentation about that.
You have them all in the auth.refresh_tokens
table which means you can query them and delete them as needed. Just avoid inserting them yourself.
Motivation
Today when a user needs to interact with a hasura-auth/hasura backed service outside of a frontend application they have two options:
Goal
The goal is to be able to generate tokens to authenticate a backend service or tool as a user. For instance, a
cli
tool, or some backend service that needs access to hasura.Potential implementation
A potential implementation could to simply rely on the existing refresh-tokens functionality. In this scenario, a tool like the cli could:
At this point the CLI could just reuse that refresh token and act on behalf of the user.
A similar workflow could be used to authenticate backend services:
Requirements
For this to work I guess we need:
Security implications
The benefit of this mechanism is that the PAT needs to be authenticated every time to generate an access token so it can be revoked anytime.