Implementation of rfc7009 (Token revocation endpoints)

Question

Implementation of rfc7009 (Token revocation endpoints)

SherinBloemendaal opened this issue 10 months ago · 3 comments

SherinBloemendaal commented 10 months ago

It would be very beneficial if we could implement https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 enabling clients to revoke their tokens. This is particularly useful for non-confidential clients, for instance, when logging out.

I've attempted to implement this, but the existing repositories only support revocation based on a identifier, not the token itself. While a client can determine the access token's identifier by decoding the JWT, the refresh token is hashed, so the client never knows its identifier.

I can work on a PR?

Answer 1 · 2023-11-28T10:06:05.000Z

Good idea.

I can work on a PR?

Please yes 🙌

Answer 2 · 2023-11-28T10:08:31.000Z

I think this would be better done in the core package. Can't recall if someone has submitted a PR for this or not though

Answer 3 · 2024-03-10T22:12:56.000Z

I agree with @Sephster this belongs to the lib first, since bundles should only be about integrating libraries into frameworks through DI. Please consider having a look there and if there's nothing in that sense, maybe work on a PR and come back to integrate it here. Thanks