[
https://issues.apache.org/jira/browse/USERGRID-1232?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15659004#comment-15659004
]
Lynch Lee edited comment on USERGRID-1232 at 11/12/16 4:48 AM:
---------------------------------------------------------------
@[~jwest_apigee]
Considering this, if only the system admin can call revoke tokens of org
admins/app admins/appusers directly, or the org admin can revoke any token
himself, then org admins/app admins/appusers are safe.
Do you think so ...??
was (Author: lynchlee):
@[~jwest_apigee]
Considering this, if only the system admin can call revoke tokens of
org/app/app user directly, or the org admin can revoke any token himself .
Do you think so ...??
> /revoketoken endpoint for admin user token does not require auth
> ----------------------------------------------------------------
>
> Key: USERGRID-1232
> URL: https://issues.apache.org/jira/browse/USERGRID-1232
> Project: Usergrid
> Issue Type: Story
> Reporter: Jeffrey
>
> If I get an access token as an org admin user, that token can be revoked by
> anyone.
> For example, this request revokes all of the org admin access tokens for user
> amuramoto:
> curl -X PUT https://api.usergrid.com/management/users/amuramoto/revoketokens
> This also applies to the /revoketoken?token="someToken" endpoint
> An access token should be required to perform any operation on the
> /management endpoint. So the request would need to be something like...
> curl -X PUT
> https://api.usergrid.com/management/users/amuramoto/revoketokens?access_token="some_other_valid_token";
> Alternatively, the request could provide client id and secret.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
