Comments (4)
In #25 I proposed a similar change for the deleteSession method: "differ between the owner type to delete only expired sessions when the Client Credentials Grant is used."
Perhaps this needs to be done for all grant types? I couldn't find anything in the RFC that doesn't allow this behavior. This is already possible and depends on your implementation of the Session Storage, but should be default I think.
from oauth2-server.
Is there a reason not to do this in the Auth Code and Implicit grants as well?
from oauth2-server.
I think @jacobweber is correct here, this should be removed for all grant types.
Basic example: you have an android application, it uses a certain client id. If a user has a mobile phone and a tablet he would be unable to login to both devices unless they use different client ids. This is a common thing I would think, even having 2 android mobile phones is not entierly unheard of.
As it is today, if you login to one device your tokens for the other would be removed.
Some way to clear old sessions are necessary though, but it would need to make sure there are no valid tokens associated with them first as stated by @michaelhogg above. For myself I would write a cronjob to clear these, but it might be a good idea to have this functionality available in the repository in some way.
from oauth2-server.
Followup on @jacobweber and @jfse comment.
Re: skip deleteSession in AuthCode
@alexbilbie I need to allow multiple access_token for all credentials in v2.1.1: as a quick patch I'm considering to remove the call to deleteSession() from the AuthCode grant (like you did for ClientCredential and Password) could you please explain the reasons why you have not done it on v2.1.1? Is there any risks/downside in doing so there (before upgrading to v3 where I see "All grants no longer remove old sessions by default")?
Re: cleanup old session
@jfse I'm also considering a cronjob to cleanup old expired session but I agree there should be a garbage collect module builtin in the library (that can be used in a cronjob). Is there anything like that?
from oauth2-server.
Related Issues (20)
- Implict grant for OIDC not supported HOT 1
- Why setUserIdentifier, not setUser? HOT 9
- Test Refresh Token Fails on Google Home Test Suite HOT 2
- Possibility of using different encryptor for shortening auth code HOT 2
- Does anyone know if this library is vulnerable to this hack? HOT 1
- Support league/event v3 HOT 4
- League/Oauth2-Server Key Exposure In Exception Message HOT 2
- AccessTokenTrait::__toString gives different result each call HOT 1
- Wrong Type in DocBlock 3rd param `AbstractGrant::issueAccessToken` HOT 1
- AuthCodeGrant applies wrong validation rules on code_challenge HOT 4
- 2FA HOT 1
- Support for PHP 8.3 HOT 1
- Testing v9-rc1 on Laravel Passport HOT 13
- Authentication scheme should be matched case-insensitively HOT 1
- Oauth
- The `scope` parameter has been mistakenly required on device access token request HOT 2
- Compatibility on interfaces HOT 2
- Initial Configuration
- client_credentials has empty sub, how to get user information? HOT 1
- Issue with redirect_uri in Authorization Code Grant HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauth2-server.