Allow revoking access token without revoking refresh token

[apexskier]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe your problem

We'd like to be able to revoke an individual access token without revoking a refresh token.

The spec says:

If the token passed to the request is an access token, the server MAY revoke the respective refresh token as well.

Currently, fosite revokes both access and refresh tokens on any token revocation:

fosite/handler/oauth2/revocation.go

Lines 58 to 59 in 45a6785

	err1 = r.TokenRevocationStorage.RevokeRefreshToken(ctx, requestID)
	err2 = r.TokenRevocationStorage.RevokeAccessToken(ctx, requestID)

This effectively means we cannot revoke an access token if using refresh tokens, since it makes the refresh token useless.

Describe your ideal solution

Ideally, we'd like the token revocation endpoint to not revoke refresh tokens when an access token is revoked.

Alternatively, it would work if we could to configure this behavior (either globally for our hydra instance or with an additional parameter to the revocation endpoint).

Workarounds or alternatives

We're not revoking access tokens where we'd like to be right now.

Another alternative would be to expose an admin endpoint in ory/hydra to revoke just access tokens.

Version

oryd/hydra:v2.1.1

Additional Context

No response

[apexskier]

We just hit this again in another use case

[vivshankar]

I believe this addresses this issue:

#766

Waiting on a review.

[github-actions]

Hello contributors!

I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue

• open a PR referencing and resolving the issue;
• leave a comment on it and discuss ideas on how you could contribute towards resolving it;
• leave a comment and describe in detail why this issue is critical for your use case;
• open a new issue with updated details and a plan for resolving the issue.

Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.

Unfortunately, burnout has become a topic of concern amongst open-source projects.

It can lead to severe personal and health issues as well as opening catastrophic attack vectors.

The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.

If this issue was marked as stale erroneously you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.

Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!

Thank you 🙏✌️

[vivshankar]

Waiting for @aeneasr to review the unit tests and merge.