-
-
Notifications
You must be signed in to change notification settings - Fork 773
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expired ID tokens are not removed #1222
Comments
@Pankrat Thanks for noticing this. Since OIDC was a late addition to DOT, I suspect the requisite changes to cleartokens was missed -- it's got a very short commit history. Regarding the automatic clearing of an ID_token when an access_token is revoked, that "feels" right. If the access_token was revoked I would think Please do submit a PR! Or maybe two, in order to separate the two concerns. |
The `cleartokens` removed expired refresh tokens and associated access tokens but kept expired ID tokens in the database. Remove ID tokens when the associated access and refresh tokens are cleared. Preserve expired tokens until the associated access token is deleted to keep relationships intact and not trigger delete cascades. Fixes jazzband#1222
The `cleartokens` management command removed expired refresh tokens and associated access tokens but kept expired ID tokens in the database. Remove ID tokens when the associated access and refresh tokens are cleared. Preserve expired ID tokens until the associated access token is deleted to keep relationships intact and not trigger delete cascades. Fixes jazzband#1222
The `cleartokens` management command removed expired refresh tokens and associated access tokens but kept expired ID tokens in the database. Remove ID tokens when the associated access and refresh tokens are cleared. Preserve expired ID tokens until the associated access token is deleted to keep relationships intact and not trigger delete cascades. Fixes #1222
Describe the bug
When running
django-admin cleartokens
, access tokens and refresh tokens are cleared as documented, but expired ID tokens stick around in the DB until they are removed manually.To Reproduce
OIDC_ENABLED = True
REFRESH_TOKEN_EXPIRE_SECONDS
to a low valueACCESS_TOKEN_EXPIRE_SECONDS
to a low valueID_TOKEN_EXPIRE_SECONDS
to a low valuedjango-admin cleartokens
Expected behavior
I'd expect the ID token to be removed alongside the access token which holds the reference OR the ID token to be removed from the database when it expired.
Version
Tested with version 2.1.0.
Additional context
More generally, I wonder if revoking an access token should clear the ID token (if there is one), similar to how revoking a refresh token clears the associated access token?
I'd be willing to contribute a test and patch to the issue if a patch would be welcome for this issue (please let me know if that's the case).
Thanks for your consideration!
The text was updated successfully, but these errors were encountered: