stormpath / stormpath-framework-tck

HTTP integration tests that ensure a Stormpath web framework integration implements the Stormpath Framework Specification
Apache License 2.0
11 stars 5 forks source link

Add a test for revoking Bearer tokens #324

Closed nbarbettini closed 7 years ago

nbarbettini commented 7 years ago

We test that tokens passed via cookies are revoked (deleted) on logout, but we don't test whether tokens passed via a Bearer header are revoked.

nbarbettini commented 7 years ago

Ping @edjiang - covers the scenario we were discussing.

edjiang commented 7 years ago

Awesome! Will test tomorrow. Just reading through the framework spec now, though, and it seems like revoking via Auth header is not explicitly stated. I know there was some discussion about /oauth/revoke for client auth...

nbarbettini commented 7 years ago

Yeah, this should probably go up for discussion among the team.

edjiang commented 7 years ago

Seems like the discussion was positive. I'll review tomorrow and get merged.

nbarbettini commented 7 years ago

Ping @edjiang - dotnet is now passing this test, any hold up for getting it merged?

edjiang commented 7 years ago

Sure, we should probably add a test for oauth/revoke though.

I kept hearing ideas for merging framework spec + client api proxying, but I don't think that's actually written anymore. Do you know if there's something that states how the proxy will work in the future?

nbarbettini commented 7 years ago

Do you know if there's something that states how the proxy will work in the future?

AFAIK, not yet. Definitely needs to happen at some point though.