#dev 2021-09-18

2021-09-18 UTC
Seirdy, [jeremycherfas], hendursa1, jjuran and barryf[d] joined the channel
tetov-irc joined the channel
#
capjamesg[d]
[KevinMarks]++ for his thoughts on linking in this week's Europe HWC.
#
Loqi
[KevinMarks] has 17 karma in this channel over the last year (46 in all channels)
#
capjamesg[d]
I typed in "awk" and was led to a lovely comic about awk.
#
capjamesg[d]
Links are really helping to improve relevance.
KartikPrabhu and hendursaga joined the channel
#
GWG
!tell jamietanna When you have a few minutes, would you be able to act as a sounding board for refresh token implementation?
#
Loqi
Ok, I'll tell them that when I see them next
hendursaga, [Michael_Ungar], alex11 and [schmarty] joined the channel
#
[snarfed]
https://v2.jacky.wtf/ has been down for the last day or so. :hugops: jacky, hope it's back up soon!
#
GWG
So, I built a simple refresh token implementation, but the refresh tokens aren't tied to the access tokens, so the only way a refresh token gets removed is if it expires or is redeemed. Seems wrong
KartikPrabhu and jamietanna joined the channel
#
jamietanna
GWG I don't have them tied currently (nor have revocation) but I'm planning on having a "consent ID" that'll be in both tokens, and be what can be used to revoke both tokens by the user
#
Loqi
jamietanna: GWG left you a message 5 hours, 36 minutes ago: When you have a few minutes, would you be able to act as a sounding board for refresh token implementation?
#
GWG
jamietanna: My access tokens have a generated uuid I put in a few versions ago I could link to
#
GWG
I have revokation for access, not refresh tokens
#
GWG
Authorization codes, access tokens, and refresh tokens are all stored the same way, using the same class with only different locations passed.
#
jamietanna
Yeah so I guess you'd probably want i.e. the UUID that's in the access token to be linked to the authorization code, and refresh token too
#
GWG
That's a good idea.
#
GWG
I don't put a uuid in the authorization code.
#
GWG
I should pass the same one along.
#
GWG
So, if I redeem a refresh token, I should invalidate the old refresh token, which is fine, but should I also invalidate the access tokens associated with that refresh token, or just let them expire naturally?
shoesNsocks1 and jamietanna1 joined the channel
#
jamietanna1
The user / app has said revoke, so generally all access should be revoked ASAP
#
jamietanna1
Oh wait sorry this is on a refresh
#
jamietanna1
No an access token should still be valid
#
aaronpk
i would say it makes sense to revoke the access token immediately too. since only one client should be using the access token, if that client uses the refresh token then it should never be using the previous access token again
#
aaronpk
the only exception is clients that are made up of multiple parts (threads, processes, etc) where they may not be able to coordinate between all the parts
#
GWG
Do we have any of those?
#
GWG
Also looking for other reasons that I might want to revoke a refresh token...lack of use of the associated access token?
#
GWG
I should have this done tonight.
#
GWG
Although this idea of having the uuid be generated by the authorization code and passed to the access token it uses.. interesting
nertzy joined the channel
tetov-irc and KartikPrabhu joined the channel