- Affected version
- 2.3.8
Repro:
1) Create OAuth2 Application; Public flow
2) Request an access token
3) Revoke the application via Admin CP or User Settings -> Applications.
4) Use of the access token will result in 401 forbidden when making an API call (as expected)
5) Use the existing refresh token to request a new access token. An access and refresh token is issued, application conscent is granted, and access to the API is resumed <- Not expected
Expected behavior: access and refresh token would both be revoked and ask to obtain a new access token should result in 401. The end user would have to go through application conscent flow again in order to obtain new access/refresh tokens accordingly.
1) Create OAuth2 Application; Public flow
2) Request an access token
3) Revoke the application via Admin CP or User Settings -> Applications.
4) Use of the access token will result in 401 forbidden when making an API call (as expected)
5) Use the existing refresh token to request a new access token. An access and refresh token is issued, application conscent is granted, and access to the API is resumed <- Not expected
Expected behavior: access and refresh token would both be revoked and ask to obtain a new access token should result in 401. The end user would have to go through application conscent flow again in order to obtain new access/refresh tokens accordingly.