PATTERN Cited by 1 source
Revocation replay queue¶
Problem¶
During a blue-green database migration with writes still enabled, any revocations (e.g., OAuth token revocations) performed against the "blue" database will be lost when traffic cuts over to the "green" database. Disabling writes entirely would prevent users from revoking access to applications during the maintenance window — an unacceptable security trade-off.
Solution¶
Capture every revocation event in a durable queue during the migration window. After cutover to the green database, drain the queue and replay all revocation events against the new datastore. This ensures no revoked application inadvertently regains access.
How Cloudflare Applied It¶
During the Hydra 2.x upgrade, Cloudflare used systems/cloudflare-queues as the revocation capture queue. When a user revoked an OAuth application during the upgrade window, a record was written to the queue with revocation metadata. After the green database was live, the queue was drained and all revocations were replayed, guaranteeing that no previously-revoked app regained access (Source: sources/2026-06-24-cloudflare-oauth-for-all).
Trade-offs¶
- Pro: Users can revoke at any time — no security compromise during maintenance.
- Pro: Queue is durable — revocations survive process crashes.
- Con: Adds operational complexity — queue drain must complete before revocation state is consistent.
- Con: Brief window where green database has stale revocation state.