Design Suggestion: Invalidating Access token on password change

Not applicable

Hi,

This is a generic OAuth design question and not specific to Apigee.

We have password grant where we issue a JWT token and standard refresh token with OAuth. OAuth server(Apigee) checks the credentials against the backend during password grant flow.

OAuth server also supports authorization code flow using integration with SAML Idp.

Problem arises when users change there password in the backend. The requirement is to invalidate the refresh token when this happens, so that on expiry of JWT token when a new token is requested using refresh token, the request fails and user is required to provide password again to the app.

We could do it 2 ways:

1) Ask the source system to call an endpoint in Apigee to invalidate the tokens of an enduserid. This makes the backend aware of API manager. Which makes it cyclic.

2) When a new token is requested with refresh token call, Apigee checks backend if there was any change. We are either using SCIM api or SAML and there is no standard way for the backend server to indicate that the password was changed. Hence this would require custom specification and we need to integrate with more third parties in future which makes this option more difficult.

Is there any wisdom of how this scenario of sync between API manager token and user status in backend are usually handled.

Thanks in advance

Jaskaran

0 0 205
0 REPLIES 0