Redesign OAuth authorized applications view
Related to #364827 (closed) and other recent work with OAuth applications and access tokens.
We currently only display the latest access token for a given application under 'Authorized applications' in a user's profile at /-/profile/applications
. However, there may be any number of tokens per application.
Issue | in live environment |
---|---|
Currently, an application may have multiple tokens if one token expired and an application went through the authorization flow again. In the very near future we will disable the reuse of access tokens, which will mean a user can have infinite number of unexpired, unrevoked tokens per application. Currently, the 'Revoke' button on these tokens will revoke all tokens for that application for the current user, which is desirable since we're not showing all tokens. There is support for revoking on the specified token if we wish in the future. |
Potential solutions
-
List all tokens under a heading for the respective application with both an option to revoke all, or revoke individual. The only difficulty here is there's really very little way for users to discern where or how a given token is used. The only information we have is when the token was created and the user and application for which it is valid.
-
Continue to show just one token but show the first
created_at
date rather than the current last date, but maybe we should show this as 'first authorized at'.
Visuals
V1 | V2-full list | V2-reduced search |
---|---|---|
Database structure
It might be helpful to show all of the columns we have for access tokens:
CREATE TABLE oauth_access_tokens (
id integer NOT NULL,
resource_owner_id integer,
application_id integer,
token character varying NOT NULL,
refresh_token character varying,
expires_in integer,
revoked_at timestamp without time zone,
created_at timestamp without time zone NOT NULL,
scopes character varying
);