-
-
Notifications
You must be signed in to change notification settings - Fork 797
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Able to refresh a token after it has been revoked #1510
Comments
@dwaynelaforce do you use the |
@soerface sorry for taking so long to respond! priorities shifted at work for the last month but I am back on this now. We are not using that setting but we do use REFRESH_TOKEN_EXPIRE_SECONDS which is set to 7 days. Here is the django test code in our django app that was working in the prior version but is failing in this version:
I have verified that the response from that API call in the assertRaises is 200 OK and includes a new access token and refresh token. |
After more closely reviewing I'm guessing then that this is intended behavior and the issue here is my expectation being different. Could you confirm? If the case, it sounds like the correct way for a user to revoke third party access to their account is to revoke the refresh token if it exists rather than the access token. Is a new template needed, where a user's access tokens AND refresh tokens are provided with links to revoke? |
Describe the bug
I am able to exchange a refresh token for a new access token when the original access token was revoked. I had a test in my local django project that validated this did not happen (in version 2.3.0) but now it does (in version 3.0.1). I want to know if this is desired behavior or perhaps a regression has been introduced to the codebase.
To Reproduce
Create an Application with Authorization Code type.
Initiate the workflow from the external app, authenticate, and authorize.
Go to the authorized tokens page, select the new token, and delete.
In postman, make a refresh token request using the refresh token, the response is 200 OK and includes a new access token and refresh token.
Expected behavior
After revoking an access token, the corresponding refresh token would also be revoked and unusable by the external application.
Version
3.0.1
Additional context
Sorry if this has been raised already- I did browse the open and closed issues for this release and did not see anything. Thanks for all your work on this package.
The text was updated successfully, but these errors were encountered: