Changing roles does not affect the access token

Created on 13 October 2023, about 1 year ago

Updated 30 October 2023, about 1 year ago

Problem/Motivation

Hi, I am using this module to login to an application. And I ran into a problem. When I refresh the user's roles, the access token is removed, everything is ok, but when the user requests a new access token using the refresh token, he gets the same scopes (roles).

Am I doing something I don't understand or is this a bug?

💬 Support request

Status

Needs review

Version

5.2

Component

Documentation

Created by

BMO

Live updates comments and jobs are added and updated live.

Security
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Comments & Activities

Issue created by @BMO
Comment about 1 year ago →
🇭🇺Hungary mxr576 Hungary
If this is true this could a be security problem as well...
@bmo opened merge request.
Status changed to Needs review about 1 year ago11:22am 17 October 2023
Comment about 1 year ago →
BMO
I've added a reproduction of this behavior to the test.
Can someone check what the problem is?
Comment about 1 year ago →
🇺🇸United States paul121 Spokane, WA
Related issues for revoking refresh tokens on profile update which I think would solve this problem: 💬 [PP-1] Revoke refresh tokens Needs work and 📌 Auth revoke on profile update Needs review which has MRs for both 5.2 and 6.

Thanks @BMO for adding tests here.. if you can add tests to the other issues that might help move things along?

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024