-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refresh tokens are not being revoked when new access token is created #1462
Comments
Forgot to add, we have the |
I have also check the code again. If you don't migrate the previous_refresh_token column. The refresh_token will be revoke immediately when you use it to get new access token. The
Memo for the code related to
@verenion So I think we can close this issue. |
Steps to reproduce
Expected behavior
When an access token is generated from a refresh token, the previous access token should be revoked, according to the OAuth spec.
Actual behavior
Access tokens are never revoked, every refresh just causes a new access token to be created.
This is becoming a very large issue for us, we have fairly short-lived tokens on a very busy application. We are currently racking up 100m+ rows in
oauth_access_tokens
, and cleaning them out is pointless if it keeps creating more.System configuration
Doorkeeper initializer:
The text was updated successfully, but these errors were encountered: