[Bug]: deleting oauth client does not delete the tokes given out by the client #35068
Description
⚠️ This issue respects the following points: ⚠️
- This is a bug, not a question or a configuration/webserver/proxy issue.
- This issue is not already reported on Github (I've searched it).
- Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- Nextcloud Server is running on 64bit capable CPU, PHP and OS.
- I agree to follow Nextcloud's Code of Conduct.
Bug description
After an oAuth client is deleted in NC the tokens that it has given out are still valid and can be used for authentication
We have encountered this issue while developing the OpenProject integration app
The only workaround we have found is to get all tokens of a oauth client before deleting it and invalidate them one by one: nextcloud/integration_openproject#261 but IMO it would be better if that would happen automatically when the client gets deleted
Steps to reproduce
- create an oauth client
- connect to NC using that oauth client
- delete the oauth client
- try to use the issued tokens to connect to NC
Expected behavior
tokens should be invalidated
Installation method
No response
Operating system
Debian/Ubuntu
PHP engine version
PHP 7.4
Web server
Apache (supported)
Database engine version
MySQL
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
- Default user-backend (database)
- LDAP/ Active Directory
- SSO - SAML
- Other
Configuration report
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"localhost",
"192.168.108.156",
"host.docker.internal",
"172.17.0.1",
"192.168.10.29"
],
"apps_paths": [
{
"path": "\/home\/artur\/www\/nextcloud-server\/apps",
"url": "\/apps",
"writable": false
},
{
"path": "\/home\/artur\/www\/nextcloud-server\/custom_apps",
"url": "\/custom_apps",
"writable": true
}
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "26.0.0.1",
"overwrite.cli.url": "http:\/\/localhost\/nextcloud-server",
"htaccess.RewriteBase": "\/nextcloud-server\/",
"installed": true,
"debug": true,
"allow_local_remote_servers": true,
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"theme": "",
"loglevel": 2,
"maintenance": false,
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_smtpmode": "smtp",
"mail_sendmailmode": "smtp",
"mail_smtpport": "\u00fc\u00e4\u00fc\u00fc",
"0": [
[
"localhost",
11211
]
],
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 6379
}
}
}List of activated Apps
Enabled:
- activity: 2.18.0
- cloud_federation_api: 1.9.0
- comments: 1.16.0
- contactsinteraction: 1.7.0
- dashboard: 7.6.0
- dav: 1.25.0
- federatedfilesharing: 1.16.0
- federation: 1.16.0
- files: 1.21.1
- files_sharing: 1.18.0
- files_trashbin: 1.16.0
- files_versions: 1.19.0
- integration_openproject: 2.1.0
- lookup_server_connector: 1.14.0
- notifications: 2.14.0
- oauth2: 1.14.0
- provisioning_api: 1.16.0
- settings: 1.8.0
- sharebymail: 1.16.0
- systemtags: 1.16.0
- theming: 2.1.1
- twofactor_backupcodes: 1.15.0
- updatenotification: 1.16.0
- user_status: 1.6.0
- viewer: 1.10.0
- weather_status: 1.6.0
- workflowengine: 2.8.0
Disabled:
- admin_audit
- bruteforcesettings
- encryption
- files_external
- testing
- user_ldapNextcloud Signing status
Integrity checker has been disabled. Integrity cannot be verified.Nextcloud Logs
No response
Additional info
No response