jbaron-gingco
commented
2 years ago Pull request for a first attempt: https://github.com/thephpleague/oauth2-server/pull/1259
Closed jbaron-gingco closed 2 years ago
jbaron-gingco
commented
2 years ago Pull request for a first attempt: https://github.com/thephpleague/oauth2-server/pull/1259
Sephster
commented
2 years ago By default we provide a bearer token response. The benefit of these token types is that you don't need to look up a DB to check the validity of the token. The downside is there isn't anyway to revoke them as you've noted. For this reason, the access tokens in the library should always be relatively short lived.
It is possible to write your own token response but you'd still have the issue of either holding the client based expiration token logic in the custom response class (which isn't ideal) or just adding methods to your client entity implementation to support this feature.
I was initially quite keen to add this into the library but I think we probably shouldn't. If you want this feature it should be relatively easy to extend your implementation to support it. If we added this we would be going against most other OAuth 2 Server libs which set these values globally. I'm unsure why this would be but I'm hesitant to go against convention and suspect that it might be because the customisation of access tokens per client could make it more likely that a dev would make an implementation mistake or make it more likely someone would set a long lived access token, not realising the implications when using bearer token responses.
For the reasons above I think we shouldn't implement this in the library. However, if you can find solid examples where this has been done in other libs (closest I could find was Azure's implementation) then I'd be happy to revisit this.
Currently, token life times can be configured per grant type - in our application, this is basically the same "globally". This is not sufficient for some use cases:
Behaviour idea: