Hi all. My question is related to Client Credentials flow only.
So we have CLIENT_ID and CLIENT_SECRET only.
If we change CLIENT_SECRET, all existing access tokens remain valid and active. My goal is to make such tokens inactive.
Seems like it doesn’t happen automatically on CLIENT_SECRET change, so I was looking for special revoke all tokens endpoint but it looks like it doesn’t fit Client Credentials flow. Am I missing something?
Hey surfman,
Is this what you are looking for?
Thanks @vinckr but I’m not quite sure that it can help.
I need to know the exact token in order to revoke it, right? I mean, if I change the CLIENT_SECRET, I don’t know tokens that are already in use.
Is there any way to get a list of all active tokens per Client, so I can revoke them?
This is currently only possible by deleting and re-creating the client with a new secret. Changing the secret does not invalidate the tokens as it could be a routine such as rotating secrets.
2 Likes