Combination of the default values of uaa.jwt.refresh.format (jwt) and uaa.jwt.revocable (false) results in spec-non-compliance
#813
Labels
Comments
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/187154671 The labels on this github issue will be updated when the story is started. |
This was referenced Mar 1, 2024
cf-foundation-community-automation
bot
moved this to Inbox
in Foundational Infrastructure Working Group
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Based on OAuth spec, refresh tokens need to be individually revocable.
However, when we leave uaa.jwt.refresh.format (default = jwt) and uaa.jwt.revocable (default = false) to UAA-release's defaults, UAA is not compliant with this requirement.
Though it is okay to have non-spec-compliant config options for backward compatibility reason, the default UAA-release config should be spec-compliant. One solution is to set uaa.jwt.refresh.format's default to
opaque. This would require a breaking change.steps of reproduction
revoking individual refresh token does not work
=> 404
The text was updated successfully, but these errors were encountered: