Revoke access token #3758
Labels
affects:api
Affects the Ghost API
Milestone
Comments
|
Check out this convo with Alxandr in ze logs. Is that from what you're describing here sebgie? |
|
@novaugust no, this is not related. This issue is solely about removing the access and refresh tokens form the database when someone signs out. The IRC conversation is related to #3492 which is about handling session expiry more gracefully. |
Merged
halfdan
added a commit
to halfdan/Ghost
that referenced
this issue
Sep 10, 2014
closes TryGhost#3758 - new API method to delete access and refresh token - use new ember-simple-auth config to revoke tokens on logout - new method to delete tokens by .. token
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
oAuth access tokens are stored in the database and are not revoked when signing out. This is not covered by the original oAuth specification. The behaviour is similar to what you experience when using session cookies and close your browser. The cookie still exists on the server, but is removed from the browser and you can't access server resources anymore. RFC 7009 adds a new endpoint to the OAuth specification and allows to revoke access and refresh tokens that are no longer needed.
ember-simple-authhas added the ability to revoke tokens in mainmatter/ember-simple-auth#228. It seems like we only need to add a configuration item to enable token revocation in the client. On the server, a new endpoint (/ghost/api/v0.1/authentication/revoke) needs to be implemented.The text was updated successfully, but these errors were encountered: