Fix revokation of token on logout

snikket-im / snikket-web-portal

This is the web portal for Snikket Chat services. To learn more about what Snikket Chat services are, check the website.

https://snikket.org

GNU Affero General Public License v3.0

32 stars 12 forks source link

Closed Zash closed 10 months ago

Zash commented 11 months ago

In OAuth 2.0, you don't authenticate with the revocation endpoint using the token you are revoking, but rather the OAuth client credentials.

[x] Builds
[x] Runs
[x] Token gone after logout
[x] Grant gone after logout (an unused refresh token remain but is cleaned up later)

Zash commented 10 months ago

Grant gone after logout (an unused refresh token remain)

[x] Started work in Prosody to clear out old expired grants, which may solve this eventually.