Description

The use-case is that when token is revoked, revoke the exchanged tokens as well. For example when the token-a is used to exchange for token-b. Then token-a is revoked. Then token-b should be also revoked automatically according to this use-case. I don't know if we can easily support such use-case without too much overhead (As I guess it would mean we will need to track the exchanged tokens) and how important it really is...

Not sure if it is something we can support unless all the exchanged tokens are saved somewhere including the original token, so that revocation of original will revoke all the "children tokens" .

(Note from Stian): Don't really want to store anything like that server side TBH. Maybe we could encode it into the jti? Instead of just an UUID it could be base64urlencode(subject-token.jti + ":" + uuid)

Discussion

No response

Motivation

No response

Details

No response