Allow revoking access token without revoking refresh token
apexskier opened this issue · comments
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- This issue affects my Ory Network project.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Describe your problem
We'd like to be able to revoke an individual access token without revoking a refresh token.
The spec says:
If the token passed to the request is an access token, the server MAY revoke the respective refresh token as well.
Currently, fosite revokes both access and refresh tokens on any token revocation:
fosite/handler/oauth2/revocation.go
Lines 58 to 59 in 45a6785
This effectively means we cannot revoke an access token if using refresh tokens, since it makes the refresh token useless.
Describe your ideal solution
Ideally, we'd like the token revocation endpoint to not revoke refresh tokens when an access token is revoked.
Alternatively, it would work if we could to configure this behavior (either globally for our hydra instance or with an additional parameter to the revocation endpoint).
Workarounds or alternatives
We're not revoking access tokens where we'd like to be right now.
Another alternative would be to expose an admin endpoint in ory/hydra to revoke just access tokens.
Version
oryd/hydra:v2.1.1
Additional Context
No response
We just hit this again in another use case