I know this is not addressed in OAuth spec itself it but seems logical and good security practice. Wanted to know if the OTK has this inbuilt feature. FYI. some COTS products and google do it.
Let me send you an email directly on this.
Sent from my iPhone
why would you want invalidate the token? Its the same user as far as I understand and the users credentials were accepted when the user granted access to his resources.
Maybe you can share your thoughts on this.
For fraud and risk reasons, sometimes we have to force the user to go through password reset. at that time we do not want any tokens to be active that are issued for same user with previous password.
actually, we have received this question a few times in the last few weeks.
The solution would be to create an API in OTK that gets called whenever a user changes his password at the IDP.
I will write a blog post within the next few days to show how an API can be built that takes a username (and some other credentials) and revokes all OAuth token for that user.
It will be hard for IDPs to call APIs on the gateway when user changes passwords. Instead customize /auth/oauth/v2/token endpoint to verify user attributes for password last set value before issuing access token when presenting refresh token for authentication. This varies based on the identity provider, but it is pwdLastSet in Microsoft Active Directory. Access Tokens typically should be short lived anywhere from 1 hr to maximum 1 day for Enterprise Mobile Applications for the same security reasons. Only refresh tokens or id tokens are long term to avoid challenging for resource owner credentials to support Mobile SSO. Revoke refresh tokens or id tokens if the password changed since it was last issued.
Also it is not advised to validate pwdLastSet in the protected API when using OTK Require OAuth Token due to performance reasons.
The question is not if its hard for an IDP or not to call an API. It is simply the only way of doing it at the time when usernames or passwords change.