AT and consents revocation
Concerned version
Version: 2.0.5
Platform: Nginx
Summary
OIDC Access Token still be usable when the user revoked its consents.
Logs
No logs available but you can reproduce the use case :
1/ Get an authorization code with oauth2/authorize endpoint (give your consents)
2/ Then request an access_token and id_token through oauth2/token endpoint
3/ Connect to the lemonldap Webui and revoke your consents
4/ You can still use the access_token of point 2 to request oauth2/getuserinfo endpoint even if you revoke your consents
Backends used
file backend
Possible fixes
Delete access_token when consents are revoked