let's assume that a user has given a third-party application the permission to do Action1 for example. and later on, he doesn't have the permission to do such an action ( like his removed by the admin). Now he can't do that action. When the third-party application sends a request to passport to do the now-forbidden Action1 what should be done?
Just guessing: it's one of two.
1- when the permission changes revoke all related access tokens (leave the refresh tokens alone maybe?) to force the app refresh its now-revoked token.
OR
2- return 400 error when the third-party application asks to do Action1.
Any ideas?
via Chebli Mohamed
Aucun commentaire:
Enregistrer un commentaire