Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

I'd like to use the OAuth2 Webhook to perform a check on the `refresh_token` and potentially revoke the token in that logic. However, while the hook _does_ get called during the refresh token flow, it does not actually provide the `refresh_token` itself to the hook. And the only way to officially revoke is through the endpoint that requires the token. I can restrict access by returning a `403 Forbidden` from the hook, but that still leaves the token active.

Do I venture down a path to directly edit the PGSQL db and revoke it myself, or is there a better way?

The only other alternative I can see right now is to just keep returning the `403` forever, but that really just means keeping a duplicate table where I associate something like the token signature (that _is_ passed to the hook) with the status.