Layer7 API Management

  • Private Community

  • 1.  Does Layer7 OTK revoke Access, Refresh token when a user changes his/her password ?

    Posted Mar 17, 2017 09:48 PM

    I know this is not addressed in OAuth spec itself  it but seems logical and good security practice. Wanted to know if the OTK has this inbuilt feature.  FYI. some COTS  products and google do it.



  • 2.  Re: Does Layer7 OTK revoke Access, Refresh token when a user changes his/her password ?

    Broadcom Employee
    Posted Mar 17, 2017 09:54 PM

    Kd

     

    Let me send you an email directly on this.

     

    Derek

     

    Sent from my iPhone



  • 3.  Re: Does Layer7 OTK revoke Access, Refresh token when a user changes his/her password ?

    Posted Apr 03, 2017 03:07 PM

    Kaladhar,

    why would you want invalidate the token? Its the same user as far as I understand and the users credentials were accepted when the user granted access to his resources.

    Maybe you can share your thoughts on this.

    Thanks,

    Sascha



  • 4.  Re: Does Layer7 OTK revoke Access, Refresh token when a user changes his/her password ?

    Posted May 19, 2017 10:28 PM

    For fraud and risk reasons, sometimes we have to force the user to go through password reset. at that time we do not want any tokens to be active that are issued for same user with previous password.



  • 5.  Re: Does Layer7 OTK revoke Access, Refresh token when a user changes his/her password ?

    Posted May 19, 2017 11:13 PM

    Kaladhar,

    actually, we have received this question a few times in the last few weeks.

    The solution would be to create an API in OTK that gets called whenever a user changes his password at the IDP.

    I will write a blog post within the next few days to show how an API can be built that takes a username (and some other credentials) and revokes all OAuth token for that user.

    Best regards!



  • 6.  Re: Does Layer7 OTK revoke Access, Refresh token when a user changes his/her password ?

    Posted May 24, 2017 10:21 PM

    It will be hard for IDPs to call APIs on the gateway when user changes passwords. Instead customize /auth/oauth/v2/token endpoint to verify user attributes for password last set value before issuing access token when presenting refresh token for authentication. This varies based on the identity provider, but it is pwdLastSet in Microsoft Active Directory. Access Tokens typically should be short lived anywhere from 1 hr to maximum 1 day for Enterprise Mobile Applications for the same security reasons. Only refresh tokens or id tokens are long term to avoid challenging for resource owner credentials to support Mobile SSO. Revoke refresh tokens or id tokens if the password changed since it was last issued. 

     

    Also it is not advised to validate pwdLastSet in the protected API when using OTK Require OAuth Token due to performance reasons.



  • 7.  Re: Does Layer7 OTK revoke Access, Refresh token when a user changes his/her password ?

    Posted May 25, 2017 12:27 PM

    The question is not if its hard for an IDP or not to call an API. It is simply the only way of doing it at the time when usernames or passwords change.