stackoom
  简体   繁体   中英

Oauth2/Openid Connect. How to revoke unknown access/refresh tokens

 原文  2015-03-10 06:52:51       security/ oauth-2.0/ authorization/ access-token/ openid-connect

Question

In Oauth or Openid Connect, let's say an attacker takes an access or refresh token and the browser or app's caches are cleaned. Can a user revoke an access or refresh token issued by an Identity Provider if their string is not explicitly known?

2 answers

solution1
 2  2016-07-28 09:37:56

If your Token-Provider is at least an OAuth 2.0-Provider, it has to to implement the OAuth 2.0 Token Revocation .
The URL should be delivered by on OpenID Connect-Provider as "revocation_endpoint" in the /.well-known/openid-configuration.

solution2
 0  2015-03-10 08:50:51

It really depends on the implementation at the Identity Provider but typically you should be able to revoke the at least the refresh token. The refresh token is most often stored in persistent storage at the IDP and a user may login to the IDP to manage client authorizations and refresh tokens. As an example, Google allows users to manage those at: https://security.google.com/settings/security/permissions

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question OAuth and OpenId Connect Tokens clarification Safe to store Oauth2 access/refresh tokens in Shared Preferences in Android? How to revoke all the tokens for a user when they change their password with Jersey and OAuth2 Stealing access tokens in oAuth2 OAuth2 Password Grant vs OpenID Connect What benefits refresh tokens in OAuth2 How to persist OAuth 2 refresh tokens OAuth & OpenID Connect - When To Use Refresh Token & Which Route To Choose Access Tokens: Revoke vs Delete Do OAuth2 access tokens for a mobile app have to expire?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM