Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add endpoint to Admin API to revoke access tokens #1728

Open
aeneasr opened this issue Feb 18, 2020 · 2 comments
Open

Add endpoint to Admin API to revoke access tokens #1728

aeneasr opened this issue Feb 18, 2020 · 2 comments
Assignees
Milestone

Comments

@aeneasr
Copy link
Member

@aeneasr aeneasr commented Feb 18, 2020

Is your feature request related to a problem? Please describe.

It's currently not possible to revoke access tokens from client_credentials grants. This has been requested and I think it is a good idea to allow deletion of tokens based on the client_id. This makes sense if you lose trust in a client, for example, or if the secret changes.

Describe the solution you'd like

Similar to this API endpoint it should be possible to revoke tokens without a consent session attached as well. A good endpoint would be:

DELETE <hydra-admin>/oauth2/tokens?client_id=...

Additional context

https://community.ory.sh/t/disable-client-in-hydra-for-a-while-and-re-enable-it/1510/8

@aeneasr aeneasr added this to the v1.4.0 milestone Feb 18, 2020
@aeneasr aeneasr added this to To do in Project Management Board via automation Feb 18, 2020
@aeneasr aeneasr moved this from To do to Priority in Project Management Board Feb 18, 2020
@lpedrosa

This comment has been minimized.

Copy link

@lpedrosa lpedrosa commented Mar 25, 2020

This would be a pretty nice addition.

Would being able to revoke individual client_credential grants make sense as well? Or would that go against the use-case of this type of grant i.e. service-to-service authz?

I'm thinking about multiple instance of the same service holding different tokens.

@aeneasr

This comment has been minimized.

Copy link
Member Author

@aeneasr aeneasr commented Mar 30, 2020

Would being able to revoke individual client_credential grants make sense as well? Or would that go against the use-case of this type of grant i.e. service-to-service authz?

I think it's quite difficult to track that from an admin perspective because there is no session identifier. Also, client_credential doesn't have refresh tokens so they expire after an hour.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.