revoke_token should invalidate all access tokens when get refresh token

[LennyLip]

RFC7009 says

[...] If the particular token is a refresh token [...] then the authorization server SHOULD also invalidate all access tokens. If the token passed to the request is an access token, the server MAY revoke the respective refresh token as well.

Now, DOT not "also invalidate all access tokens", when i send a refresh token with revocation.

https://github.com/evonove/django-oauth-toolkit/blob/d2cde74695256a1251a575a377bbb34c759cacbf/oauth2_provider/oauth2_validators.py

[synasius]

Thanks for reporting.
This should be addressed in the next release

[LennyLip]

thanks! please review this comment oauthlib/oauthlib#110 (comment) is this oauthlib or DOT issue?

[hb020]

This is a DOT issue to me. DOT does the persistence.
Also, rfc6749, section 6 says: (upon access token refresh)

The authorization server MAY issue a new refresh token, in which case
the client MUST discard the old refresh token and replace it with the
new refresh token. The authorization server MAY revoke the old
refresh token after issuing a new refresh token to the client.

DOT does the latter, but does not go for all the consequences, as mentioned in this ticket: revoking the access token that was tied to the refresh token. Easy to fix.

[masci]

@hb020 got it, we simply delete the old refresh token at the moment, but we should trigger a revokation procedure instead, thus invalidating relevant access tokens as well (as mentioned in the current issue).
Thanks for pointing out!