Invoke-OktaRemoveAccessToken should revoke the access token prior to nulling it out #66
Comments
|
Hi @aseigler, Thanks for your feedback. We do agree. This has been part of the team plan, but we haven't had time to implement it due to other priorities. We're more than happy to accept contributions if you're willing to; please take a look at our contributing guide and CLA. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Invoke-OktaRemoveAccessToken currently sets the script-bound variable containing the cached access token to null. It would be much better from a security perspective if the token were first revoked, then the variables containing them set to null. It is especially important because the process of revoking access tokens requires the access token, and if you've already set it to null, you have effectively lost the handle to the access token and are unable to revoke it directly.
I am more than willing to provide a PR to resolve this properly.
The text was updated successfully, but these errors were encountered: