Better handle access tokens #15963

balloob · 2018-08-13T19:56:00Z

We don't store access tokens, they are lost every restart of Home Assistant.

I still don't want to store access tokens. They change too often.

Instead I suggest that we make the access tokens JWT tokens signed with the refresh token.

That way we can check validity without having to keep track of them.

awarecan · 2018-08-14T04:27:31Z

Do we ever need revoke/invalid one or all access_token?

balloob · 2018-08-14T07:05:11Z

We will add support for revoking refresh tokens.

balloob · 2018-08-14T14:42:39Z

Just to expand a bit more on my last comment: revoking a refresh token will revoke all access tokens it ever created.

balloob added auth p1 labels Aug 13, 2018

balloob mentioned this issue Aug 13, 2018

Activate auth providers by default #15703

Closed

balloob self-assigned this Aug 14, 2018

balloob mentioned this issue Aug 14, 2018

Use JWT for access tokens #15972

Merged

3 tasks

ghost added the in progress label Aug 14, 2018

balloob closed this as completed in #15972 Aug 14, 2018

ghost removed the in progress label Aug 14, 2018

home-assistant locked and limited conversation to collaborators Dec 14, 2018

Provide feedback