It’s entirely possible that I’m missing something relatively simple here, but I can’t seem to find an answer to this:
How would I go about having oathkeeper respect the revocation of a session?
My understanding from my research so far is:
- Upon performing some actions (such as initiating a user settings flow), kratos would check if the session had been deleted (from the session persister).
- On all actions that do not require hitting kratos, oathkeeper will simply validate that the session has not yet expired then allow the user to pass though.
- I understand that JWT’s are secure to allow through if they haven’t yet expired, but I could imagine situations where we would want to black list a single token and have it immediately revoked.
- This problem has been somewhat detailed here, but that was related to using hydra only (the issue about revocation)
So my question is in two parts:
- Is what I’ve outlined above correct?
- Would it be in line with the goals of the project to open a pr that adds “online” token checks to oathkeeper?
- I.E. every time we get a token, check with kratos --possibly using the whoami kratos endpoint (can’t link to it due to new user restrictions)
Question above aside, I did want to drop a note saying thanks for all your work on these projects! I’ve only been able to arrive at this question because all the documentation and code has been quite easy to work with.