Reputation: 143
OAuth: Client revoking access of several access tokens
Suppose I am a client application and I request resource owners to share their resources using Authorization servers(and resource servers) like Facebook and Google. Lets assume that some of my access tokens were compromised. In that case, Can I request Facebook or Google to revoke all those tokens? (I already know that tokens are short lived. But can we revoke access. I tried looking it up on Facebook developer section/ Stack Overflow and did not stumble upon anything on this)
Upvotes: 1
Views: 39
Answers (1)
Reputation: 117016
Access tokens are short lived normally an hour. There is an expiration within the access token
{
"nbf": 1528875493,
"exp": 1528875793,
.......
}
Exp tells you when the access token will expire. The are not actually stored on the servers anywhere. So no there is no way for Facebook or Google to revoke an access token. because access tokens are short lived it is assumed that they are reasonably secure because if someone does get a hold of your access token there is a very limited amount of time where they can use it.
Upvotes: 1
Related Questions
- Revoking 1 token revokes all tokens of same OAuth Client ID + User Consent Pair
- Is it possible to have multiple valid access tokens with the same client credentials?
- OAuth 2 and managing multiple user access tokens for server side
- Using Google's OAuth 2.0 revoke endpoint invalidates all other tokens for user
- OAuth2: Prevent abuse of access tokens by legitimate resource server
- Should an oAuth server give the same accessToken to a same client request?
- Modified OAuth tokens can still authenticate / authorize successfully
- Expected behavior for repeated OAuth 2 access token request
- OAuth 2.0 token abuse by client app
- How to handle multiple clients and roles?