https://www.ory.sh/ logo
#contributors
Title
# contributors
l

little-furniture-73809

11/16/2021, 1:32 PM
I am looking at this test case https://github.com/ory/hydra/blob/master/oauth2/fosite_store_helpers.go#L185-L212 and I see that it stores multiple sessions with same request ID, is this really valid? shouldn't request IDs be unique? especially because fosite store interface has
RevokeAccessToken
and
RevokeRefreshToken
which operate based on request ID, so then they can revoke multiple tokens?
ping @high-optician-2097
h

high-optician-2097

11/22/2021, 12:47 PM
Yes, revokation revokes the whole request chain as per spec
l

little-furniture-73809

11/22/2021, 1:45 PM
but isn't there always just one token per (request ID, token type)?
h

high-optician-2097

11/22/2021, 1:48 PM
Not with the new graceful feature
l

little-furniture-73809

11/22/2021, 1:52 PM
I see, thanks
h

high-optician-2097

11/22/2021, 1:53 PM
any time
7 Views