Does the OIDC refresh token need any permanent cache?

Jim Fox fox at
Wed May 13 18:24:33 UTC 2020

>> If so, is there a way for me to, via a hook or something, to intercept a refresh request and deny it if the subject was in a local "do not refresh" list - a list that I would maintain by other means?
> Unfortunately there’s no support for such a hook at the moment. Anyway, what you just described sounds like one option to implement a feature allowing refresh token revocation for admins. Perhaps for end-users too. Currently the (OAuth2) revocation endpoint (which is called by the RPs) is the only option to revoke access or refresh tokens. This way there wouldn’t be need to maintain the state of all the tokens issued by the OP, as this “do not refresh list” could only contain for instance subjects and timestamps, describing something like "the refresh tokens for subject Y before instant X” are revoked.

This is what we do for SAML, where I can gain control in the MFA flow.  It is necessary to quickly cut off any further access for compromised accounts or lost phones.  I'd definitely like to see this feature implemented.


More information about the users mailing list