Is there any secured API to revoke all the tokens for an OAuth 2 client?
Use case: A client has been previously authorized by the user to access various APIs, which are now being removed. As part of that, client would no longer be able to obtain user tokens with that removed scope, but what happens to previously issued tokens with the original scopes.
Can those be revoked somehow? Doesn’t that need to be revoked?
@sagarshah1983i don’t think that this is supported, there are delete sessions APIs for login / consent for a specific user. I assume that requires extending the login/consent manager with a method such RevokeClientConsentSession
but maybe @hackerman can say more.
Yes, revoke the consent for the client. There is an API for that!
@hackerman
Can you please point me to that page?
The API that I referred was capable of revoking it for client for a user. I am thinking, if we should have a secured API that enables to delete/revoke the tokens for a specific client in general without looking at subject/user.
Delete the client if you wish to remove all tokens