-
Notifications
You must be signed in to change notification settings - Fork 779
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
revokeOtherAccessTokens does not revoke/delete Refresh Tokens #84
Comments
It would seem to me in a perfect world, people wouldn't request new access tokens, they would use their existing refresh token. Following that flow would mean the token becomes The simplest solution, in my mind, would be to set up a scheduled job to prune the refresh tokens based on either The other option would be to submit a PR to change |
Maybe a new static field can be added for example And prevent to call method |
Using a cron job should do the trick. |
I am using the password grant. When I request a new access token, all existing access tokens are revoked / deleted.
But the refresh tokens for the revoked access tokens are not revoked / deleted. So you end up with lots of not-revoked refresh tokens pointing to non existing or revoked access tokens in your Database (depending on
Passport::pruneRevokedTokens();
).As an aside: see #83 - I think an option to allow multiple access tokens for one client_id would be really nice (say iPad, iPhone and Android logged in at the same time)!
The text was updated successfully, but these errors were encountered: