Enable/Support Token Revocation with RFC7009

This issue has been tracked since 2022-04-14.


Revoke tokens using RFC7009 instead of just deleting them from disk.

Detailed design

Not sure if Google Auth supports RFC 7009, but it would be much better for the cleanup to revoke the token as well as deleting it.

An exfiltrated/exposed token usually has a much longer lifetime than the pipeline. To reduce the window available to a bad actor, it would be great to revoke the token via RFC7009.

Additional information


sethvargo wrote this answer on 2022-04-14

There is no way to revoke OAuth2 tokens for service accounts. The https://oauth2.google.com/revoke endpoint will return the following:

  "error": "invalid_request"
  "error_description": "Token is not revocable."

It's possible to revoke user tokens, but that's a very unlikely use case for GitHub Actions. My recommendation is to keep the token lifetime's as short as possible. You can control the value with the token_lifetime input parameter to the action.

More Details About Repo
Owner Name google-github-actions
Repo Name auth
Full Name google-github-actions/auth
Language TypeScript
Created Date 2021-09-16
Updated Date 2023-03-24
Star Count 573
Watcher Count 16
Fork Count 116
Issue Count 3


Issue Title Created Date Updated Date