oauth2-server
oauth2-server copied to clipboard
Change AccessTokenRepositoryInterface to accept the complete token instead of just tokenID.
If the methods revokeAccessToken
and isAccessTokenRevoked
are changed to accept the AccessTokenEntityInterface instead of just a tokenID, then we can lookup who the user is as well as the client. This will allow us to store tokens in databases as "userID" -> [token1, token2, token3]. Right now, we have to store the data twice. Once as "token1" -> userID, and then if we want to lookup tokens by user, we have to store this data again as "userID" -> [token1, token2, token3].
+1 for this. I've the same issue
@2blane and @thuethe could this not be solved by your database schema?
Why don't you have a pivot table between users and tokens so that these can easily be searched? I think the suggestion is probably a valid one but I want to understand your specific issue before this is progressed.
If this change is made, it will likely be in version 8. Thank you for your time
If you could outline why you are wanting to retrieve the user ID associated with the token as well that would be much appreciated.
@Sephster My problem is different from them but you also need to change AccessTokenRepositoryInterface to accept the token instead of tokenID.
From the perspective of the resource server, the resource server and auth server are not on same mechaine. client request resource server with access_token, resource server use your ResourceServerMiddleware
to validate access_token. and actually using accessTokenRepositoryInterface::isAccessTokenRevoked()
to validate it. According to RFC7662 and this document, auth server has an introspect endpoint
to validate access_token from resource server request with access_token
params. I want to use accessTokenRepositoryInterface::isAccessTokenRevoked()
to request endpoint but the method params is tokenId instead of token.