jeffsantarossa
commented
8 years ago To further define the problem: a revocation with the same hash as one in the cache will overwrite the cached one. If the newer one has an IssuedBefore time < the cached revocation, we can miss revoking a token.
When adding a token to the cache, check if one with the same hash already exists. If it does, make sure the newer one has a greater IssuedBefore time before adding it to the cache.
vroldanbet
1) create a token subject to be revoked 2) submit a revocation by claim "sub" 3) create yet another token with same sub 4) submit the exact same revocation
result: second revocation get's ignored, and second token is never reported as revoked