[
https://issues.apache.org/jira/browse/USERGRID-1232?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jeffrey updated USERGRID-1232:
-------------------------------
Description:
If I get an access token as an org admin user, that token can be revoked by
anyone.
For example, this request revokes all of the org admin access tokens for user
amuramoto:
curl -X PUT https://api.usergrid.com/management/users/amuramoto/revoketokens
This also applies to the /revoketoken?token="someToken" endpoint
An access token should be required to perform any operation on the /management
endpoint. So the request would need to be something like...
curl -X PUT
https://api.usergrid.com/management/users/amuramoto/revoketokens?access_token="some_other_valid_token";
Alternatively, the request could provide client id and secret.
> /revoketoken endpoint for admin user token does not require auth
> ----------------------------------------------------------------
>
> Key: USERGRID-1232
> URL: https://issues.apache.org/jira/browse/USERGRID-1232
> Project: Usergrid
> Issue Type: Story
> Reporter: Jeffrey
>
> If I get an access token as an org admin user, that token can be revoked by
> anyone.
> For example, this request revokes all of the org admin access tokens for user
> amuramoto:
> curl -X PUT https://api.usergrid.com/management/users/amuramoto/revoketokens
> This also applies to the /revoketoken?token="someToken" endpoint
> An access token should be required to perform any operation on the
> /management endpoint. So the request would need to be something like...
> curl -X PUT
> https://api.usergrid.com/management/users/amuramoto/revoketokens?access_token="some_other_valid_token";
> Alternatively, the request could provide client id and secret.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
