Hello everyone,
Recently I’ve been working on the external App that pushes data to the Monday board.
For security reasons, we are not using API token, but instead, we are getting Access token from Monday with OAuth flow.
To configure OAuth I created APP with some required scopes only.
From the recent test, I’ve discovered that the issued access token always has access to the API.
Steps to reproduce:
Create APP, grant read board access, get token via OAuth flow (using client_id & client_secret)
Use API to read data from GraphQL (with access token)
Remove read scope access on Monday side/ refresh client_secret and signing secret
Use API with the same access token from step 2 - API retrieves data
Delete APP, use read API - still worked
From the test, I see that the Access token is always valid, with a removed app and changed scope.
It’s a big security concern for us, could you please advise on this issue?
@Matias.Monday
Hello Matias, correct, for the last test with published versions, I’ve used major versions
All the major ver tokens stayed valid, until I’ve deleted or uninstalled application
@Matias.Monday Is there any updates regarding this question?
So we want to be sure that all tokens will be invalidated as soon as we remove app or change configuration of unpublished app or create a new version.
Also we discovered that access token can’t be refresh with refresh token, only access token provided, is there any plans to add refresh token to oAuth flow?