|
|
|
|
|
|
by dmatech
1074 days ago
|
|
|
It depends on the scenario. I can think of the following, although they're pretty similar. 1. Lost/stolen access token.
2. Lost/stolen refresh token.
3. Disabled account. In the case of systems like Azure where access tokens have an "audience", they could theoretically send a revocation message to the audience endpoint (which would only need to care about revocations younger than the duration of access tokens, much like a CRL). Revoking a refresh token would probably need to revoke all access (and perhaps identity) tokens associated with it. Disabling an account would just need to revoke all tokens associated with it. |
|
|