OAuth 2.0 token abuse by client app

1
votes

I am trying to understand the token abuse scenarios in OpenID/OAuth 2.0 context.

In the grant_type=authorization_code scenario, the access token and the refresh token are available to a client app after successful user authorization. Token refresh makes it easy for client app to keep using the user resource for a practically infinite amount of time.

Is it possible to limit the use of the access and refresh tokens by client app? Scenario: a user would like to authorize client app access to the resource for only until he closes the browser. The tokens should be invalidated after that.

1
oauthopenid

1 Answers

1
votes

For such control, user completely depends on how the Identity Provider is implemented. It would be possible to implement Identity Provider in such a way, e.g. it could ask user when the authentication session should expire on the consent screen. However, I've never seen such an implementation. Some Identity Providers allow to revoke issued tokens manually, but this is often hidden behind deep navigation on the Identity Provider's site.