Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-7146

Revoke access tokens while revoking refresh tokens

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 12.0.1, 12.0.2
    • Fix Version/s: 13.5.0
    • Component/s: oauth2
    • Labels:
    • Support Ticket IDs:

      Description

      Revoke the access tokens, when the refresh tokens are revoked.

      Per RFC 7009 (https://tools.ietf.org/html/rfc7009, Revocation Request states,
      "Depending on the authorization server's revocation policy, the
      revocation of a particular token may cause the revocation of related
      tokens and the underlying authorization grant. If the particular
      token is a refresh token and the authorization server supports the
      revocation of access tokens, then the authorization server SHOULD
      also invalidate all access tokens based on the same authorization
      grant (see Implementation Note). If the token passed to the request
      is an access token, the server MAY revoke the respective refresh
      token as well. "

      In OpenAM 12.0.x,

      1. When we revoke access token, it would revoke access token and refresh token.
      2. When we revoke refresh token, it would revoke only refresh token but not access token.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                kamal.sivanandam@forgerock.com Kamal Sivanandam
              • Votes:
                3 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: