[pull] master from ory:master #290
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change adds the ability to revoke token chains by "consent challenge ID". ## "Consent sessions" Each time the user goes through a `GET /oauth2/auth?response_type=code&...` auth code flow, we persist a new "consent session" to the database. This is independent of whether the user has previously logged in and/or granted consent, or whether the user was actively asked to grant consent by the consent app. A successful journey through the auth code flow results in a new "consent session". This consent session is uniquely identified by its "consent challenge ID". This ID is obtained from the [`GET /admin/oauth2/auth/requests/consent?consent_challenge=...`](https://www.ory.sh/docs/reference/api#tag/oAuth2/operation/getOAuth2ConsentRequest) API. Note that it is not the same as the `consent_challenge=...` query parameter! Any access and refresh tokens obtained from a token exchange following that particular user journey are bound to that consent session. We call the totality of all refresh+access tokens derived from a particular consent session a "token chain". ## Token revocation Revoking an access token (AT) is simple: send the AT to `/oauth2/revoke` and it is revoked. If this AT was derived from a refresh token (RT), the parent RT is not revoked. Revoking a refresh token (RT) also revokes associated access tokens. ## Revocation by consent challenge ID During an authorization code flow, save the consent challenge ID into the access token session data: ``` GET /admin/oauth2/auth/requests/consent?consent_challenge=abcdef ``` Response: ``` { "acr": ..., "challenge": "G_TIM3XABG14UwIgDoT1DRfipjhC1uix" # <- this is the ID we need ... } ``` Accept the consent request: ``` PUT /admin/oauth2/auth/requests/consent/accept?consent_challenge=abcdef { "remember": true, "remember_for": 3600, "session": { "access_token": { "ccid": "G_TIM3XABG14UwIgDoT1DRfipjhC1uix" } }, ... } ``` To revoke the token chain associated with this consent challenge ID, use ``` POST admin/oauth2/auth/sessions/consent?consent_challenge_id=G_TIM3XABG14UwIgDoT1DRfipjhC1uix ```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.1)
Can you help keep this open source service alive? 💖 Please sponsor : )