Change AccessTokenRepositoryInterface to accept the complete token instead of just tokenID.

[2blane]

If the methods revokeAccessToken and isAccessTokenRevoked are changed to accept the AccessTokenEntityInterface instead of just a tokenID, then we can lookup who the user is as well as the client. This will allow us to store tokens in databases as "userID" -> [token1, token2, token3]. Right now, we have to store the data twice. Once as "token1" -> userID, and then if we want to lookup tokens by user, we have to store this data again as "userID" -> [token1, token2, token3].

[thuethe]

+1 for this. I've the same issue

[Sephster]

@2blane and @thuethe could this not be solved by your database schema?

Why don't you have a pivot table between users and tokens so that these can easily be searched? I think the suggestion is probably a valid one but I want to understand your specific issue before this is progressed.

If this change is made, it will likely be in version 8. Thank you for your time

[Sephster]

If you could outline why you are wanting to retrieve the user ID associated with the token as well that would be much appreciated.

[Veitor]

@Sephster My problem is different from them but you also need to change AccessTokenRepositoryInterface to accept the token instead of tokenID.

From the perspective of the resource server, the resource server and auth server are not on same mechaine. client request resource server with access_token, resource server use your ResourceServerMiddleware to validate access_token. and actually using accessTokenRepositoryInterface::isAccessTokenRevoked() to validate it. According to RFC7662 and this document, auth server has an introspect endpoint to validate access_token from resource server request with access_token params. I want to use accessTokenRepositoryInterface::isAccessTokenRevoked() to request endpoint but the method params is tokenId instead of token.