AnsweredAssumed Answered

Not all refresh tokens are getting deleted using /oauth/tokenstore/revoke api

Question asked by sdora on Mar 10, 2017
Latest reply on Mar 23, 2017 by Seenu_Mathew

When we try to delete all the tokens for a 'resource _owner' specific to a 'client_key' using the token store API,

 

API endpoint : /oauth/tokenstore/revoke  

Method: DELETE 

Parameters: resource_owner , client_key

 

Expected Behavior:

In all scenarios, all the tokens (access token s and refresh tokens) belonging to the given resource_owner for the client_key should be deleted.

 

Observed Behavior:

In case, any of the access_tokens for the same resource_owner and client_key have been expired and the corresponding refresh_tokens are still active, then this api is not deleting those active refresh_tokens.

These refresh_tokens can again be used to generate new access_tokens, which is not a desired behavior.

 

Is there any better way to delete all the tokens for a resource_owner and given client_key.

 

Thanks,

 Sunita 

Outcomes