Revoke or disable access/refresh token by user/sub #3284
Replies: 2 comments 9 replies
-
Ideally you use something like Ory Kratos for session management which has flows and APIs designed exactly for this use case. This PR would probably a lot with that. |
Beta Was this translation helpful? Give feedback.
-
Is there a way to do this without Kratos? We are using a different identity provider. It would be nice if Hydra had an API where you can provide a user and a timestamp, such that all tokens (especially refresh tokens) issued for that user before that timestamp are revoked. The identity provider could then synchronize that timestamp with the time of the latest password change. |
Beta Was this translation helpful? Give feedback.
-
Hello there,
I am trying to find out if Ory Hydra has a way to revoke/disable the access/refresh token by taking user/sub as an input.
Use case: A user is using multiple devices for an app (representing OAuth client) on which he/she has already logged in and so app continues to use refresh token to get the new access token and bypassing the login workflow (asking user for login credentials).
Now one of the devices is lost and as such user changes password for his/her account. With that we need a way to find (and revoke) all the access/refresh tokens for every oauth client for that user. So that it can force the app/client to go through the login screens (as refresh token flow wont work anymore) requiring user to input credentials on every device.
With that said, if there are any alternatives on how this can be achieved, recommendations would be appreciated.
Beta Was this translation helpful? Give feedback.
All reactions