Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hey, I am Nicolas, software engineer at Spiko. We are dealing with an issue on our OAuth2 server. We are using the `revokeOAuth2ConsentSessions` function from the API to revoke a consent session and all the access token associated. But it does not revoke the refresh_token (which would only generate revoked access_token). We would need to be able to revoke it as well. Ideally, the refresh endpoint should fail when using a refresh token from revoked consent sessions. Can you help us on this? (cc <@U011D3UQKNY>)