Separate Resource Server: disable caching of token in Resource server to allow token revoke

[wolendranh]

Hi! It seems that if Resource server is separated from Auth server tokens are cached in Resource server. How is revoke handled in such case? I am taking about following scenario:

1. Auth server issue token
2. Resource server cache it in oauth2_provider_accesstoken table
3. Auth server admin revoke token
4. Resource server is out of sync ? Is it possible to disable caching and allow introspection to be done with each and every request?

According to rfc7662

The response MAY be cached by the protected resource to improve performance and reduce load on the introspection endpoint, but at the cost of liveness of the information used by the protected resource to make authorization decisions.

And also:

Highly sensitive environments can opt to disable caching entirely on the protected resource to eliminate the risk of stale cached information entirely, again at the cost of increased network traffic and server load.

So there should be ability to disable cache?

[wolendranh]

HI ! Is this project active? I created question 14 days ago and there no response at all :(

[LesPrimus]

Faced the same issue before...

Take a look at this setting for the resource server.

RESOURCE_SERVER_TOKEN_CACHING_SECONDS

The number of seconds an authorization token received from the introspection endpoint remains valid. If the expire time of the received token is less than RESOURCE_SERVER_TOKEN_CACHING_SECONDS the expire time will be used.