search

zalando-stups / planb-revocation

Plan B Revocation Service for JWT tokens
http://planb.readthedocs.org/
Other
9 stars 5 forks source link

Self token revocation #111

Open matosf opened 8 years ago

matosf commented 8 years ago

At the moment to revoke a token (e.g. customer token) we need a service token create a revocation.

This means that in the case of a mobile that has a customer token and wants to revoke it, it cannot do it directly from the mobile, because to create a service token you need a client secret and service user password and those should not be on the mobile, so it has instead to call its own backend and do the revocation call from there, where the secrets can be securely stored.

I propose that this use case could be improved with support for a new revocation type (e.g. SELF), that just revokes the token it receives in the Authorization header.

Example:

curl -v -X POST -H "Authorization: Bearer TOKEN_TO_REVOKE" -H "Content-Type: application/json" -d '{
    "type": "SELF"
}' "https://planb-revocation/revocations"
gargravarr commented 8 years ago

This also means allowing tokens from customer realm - right now only realms 'service' and 'employee' are allowed.

lasomethingsomething commented 7 years ago

Hey @gargravarr, this issue dates back to May 2016. Can we close it?

gargravarr commented 7 years ago

This one is eligible for Help Wanted

On Tue, 7 Feb 2017, 12:24 Lauri Apple, notifications@github.com wrote:

Hey @gargravarr https://github.com/gargravarr, this issue dates back to May 2016. Can we close it?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/zalando/planb-revocation/issues/111#issuecomment-277971133, or mute the thread https://github.com/notifications/unsubscribe-auth/ABtKw5ls3bGw7Lja8vaOI6FGkiJ-xYt9ks5raFRrgaJpZM4Iloxw .