When doing g10 testing, there are two tokens issues to patient apps:
From the Standalone Patient App step (step #1)
From the Limited Access App (step #2)
Later, when demonstrating token revocation (step 9.3), Inferno assumes and pre-populates the token from step 1. However, systems may have revoked that token already when issuing the limited access app token (from what I can tell, auth servers are not prohibited from revoking access tokens if a subsequent auth code flow issues a more restricted token).
It would be useful if Inferno let the user select which of the two access tokens should be used when performing the revocation test.
There is a workaround, where the user can just re-run step 1 to stage the token for revocation testing, but that is a little awkward in the overall testing flow.
When doing g10 testing, there are two tokens issues to patient apps:
Later, when demonstrating token revocation (step 9.3), Inferno assumes and pre-populates the token from step 1. However, systems may have revoked that token already when issuing the limited access app token (from what I can tell, auth servers are not prohibited from revoking access tokens if a subsequent auth code flow issues a more restricted token).
It would be useful if Inferno let the user select which of the two access tokens should be used when performing the revocation test.
There is a workaround, where the user can just re-run step 1 to stage the token for revocation testing, but that is a little awkward in the overall testing flow.