Revoked application still has access

I was testing the behavior of when a third-party application gets its access revoked through the Community > Third Party Applications page.

So far it’s been about 12 hours and my app still has access to private information. I am able to query for a new access token using my refresh token, and I’m able to use the ESI api to get private data.

This seems pretty broken?

There are some open issues about this. Namely:

If you are using the V1 SSO endpoints, can make an issue there.

I was using the v2 oauth endpoints. That’s incredibly broken if users can’t revoke access at all. And it’s been broken for 4-5 months?

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.