Discrepancy in Token Invalidation Behavior of RevokeOAuth2ConsentSessions: Which Documentation is Correct?

[sakai-303]

When using RevokeOAuth2ConsentSessions to invalidate a ConsentSession, it appears that tokens are being invalidated, despite the description stating, "This endpoint does not invalidate any tokens."

https://github.com/ory/hydra-client-go/blob/0e458869ede6593f22c45529dc289a2104f087d2/api_o_auth2.go#L444

Moreover, in the actual OpenAPI definition, it states that "invalidates all associated OAuth 2.0 Access Tokens."

https://github.com/ory/hydra-client-go/blob/0e458869ede6593f22c45529dc289a2104f087d2/api/openapi.yaml#L1020-L1022

Which of these is actually correct?

[aeneasr]

It does invalidate all tokens - could you fix the docs in a PR maybe? Thank you!

[sakai-303]

Thank you! It might take a little bit of time, but I'll submit the PR.

[alnr]

Y'all are confusing consent and login sessions.

Revoking a consent session also revokes all associated token chains derived from it.

Revoking a login session does not!

[sakai-303]

"I'm not entirely sure if I understand this correctly, so please correct me if I'm wrong, but it seems that this method is canceling the consent session. Therefore, the comment stating 'This endpoint does not invalidate any tokens.' might be incorrect."

I realized that I was looking at the wrong comments. Sorry for the mix-up. 🙏