This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

What is best way to search for refresh tokens by custom user attribute?

Posted on 06-19-2015 11:09 AM
Not applicable
Reply posted on --/--/---- --:-- AM

We have a custom token attribute for user id, which does not correspond to the developer. So we cannot use the out-of-the-box ability to search for token by developer to find all refresh tokens for a given user. What is the best way to search for tokens by a custom token attribute? We can use a KVM with user as key and refresh token as value, but that risks the KVM getting out of sync with the tokens. Any better suggestions? Thanks.

0 7 464
Topic Labels
0 Likes
7 REPLIES 7

Posted on --/--/---- --:-- AM
sudheendras
Staff
Reply posted on --/--/---- --:-- AM

There could be other ways to implement this, but I can think of this simple approach. Store the User ID as End User ID (app_enduser) in the access token and use this management API to determine all the access tokens for that End User ID. You can more details about this approach here.

Posted on --/--/---- --:-- AM
Not applicable
In response to sudheendras
Reply posted on --/--/---- --:-- AM

Thanks for the response. The page that you refer to doesn't mention refresh tokens, just access tokens. Does it apply to both?

0 Likes

Posted on --/--/---- --:-- AM
DChiesa
Staff
In response to sudheendras
Reply posted on --/--/---- --:-- AM

You'd associate the user information with the access_token, because that's how the model works. There is also a refresh_token associated to the access_token. Search to find access_tokens, and then you'll filter based on refresh_token and user information.

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to sudheendras
Reply posted on --/--/---- --:-- AM

@Dino, does that mean that a valid access token must exist to be able to search for a refresh token? I will need to find refresh tokens long after is a valid access token exists. Thanks.

0 Likes

Posted on --/--/---- --:-- AM
Former Community Member
Not applicable
In response to sudheendras
Reply posted on --/--/---- --:-- AM

@Jeff Nadeau, custom attributes apply only to access tokens, not to refresh tokens as access tokens are verified on protected resources (never refresh tokens) and you many need to reference custom attributes. Also if you rely on searching access tokens (with whatever custom attribute) and find the relevant refresh token(s) then you will run into issues when the access token expires.

Refresh tokens are supposed to be long lived, one option (not OOTB) is to create a KVM (Key Value Map) and store entries in the format user = {refresh token1, .... refresh token N}, this could be done right after the refresh token is generated (in another policy). You can then query the KVM to then get all refresh tokens associated to a user.

0 Likes

Posted on --/--/---- --:-- AM
Former Community Member
Not applicable
In response to sudheendras
Reply posted on --/--/---- --:-- AM

@Subrak @Joel D'sa any other thoughts?

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to sudheendras
Reply posted on --/--/---- --:-- AM

@Prithpal Bhogill, thanks. We have decided to go with the KVM route.

0 Likes