GithubHelp home page GithubHelp logo

Comments (4)

cziegenberg avatar cziegenberg commented on July 4, 2024

In #25 I proposed a similar change for the deleteSession method: "differ between the owner type to delete only expired sessions when the Client Credentials Grant is used."

Perhaps this needs to be done for all grant types? I couldn't find anything in the RFC that doesn't allow this behavior. This is already possible and depends on your implementation of the Session Storage, but should be default I think.

from oauth2-server.

jacobweber avatar jacobweber commented on July 4, 2024

Is there a reason not to do this in the Auth Code and Implicit grants as well?

from oauth2-server.

jfse avatar jfse commented on July 4, 2024

I think @jacobweber is correct here, this should be removed for all grant types.

Basic example: you have an android application, it uses a certain client id. If a user has a mobile phone and a tablet he would be unable to login to both devices unless they use different client ids. This is a common thing I would think, even having 2 android mobile phones is not entierly unheard of.

As it is today, if you login to one device your tokens for the other would be removed.

Some way to clear old sessions are necessary though, but it would need to make sure there are no valid tokens associated with them first as stated by @michaelhogg above. For myself I would write a cronjob to clear these, but it might be a good idea to have this functionality available in the repository in some way.

from oauth2-server.

stefanocutello avatar stefanocutello commented on July 4, 2024

Followup on @jacobweber and @jfse comment.

Re: skip deleteSession in AuthCode
@alexbilbie I need to allow multiple access_token for all credentials in v2.1.1: as a quick patch I'm considering to remove the call to deleteSession() from the AuthCode grant (like you did for ClientCredential and Password) could you please explain the reasons why you have not done it on v2.1.1? Is there any risks/downside in doing so there (before upgrading to v3 where I see "All grants no longer remove old sessions by default")?

Re: cleanup old session
@jfse I'm also considering a cronjob to cleanup old expired session but I agree there should be a garbage collect module builtin in the library (that can be used in a cronjob). Is there anything like that?

from oauth2-server.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.