Issue
When a user changes their password, they must log in again on all other devices to ensure security. The current token
endpoint only revokes the session associated with the current token, leaving other device sessions valid. This behavior can be a security concern in environments requiring strict session control.
Solution
A new endpoint has been implemented to address this issue, enabling the revocation of tokens across all devices associated with a user.
New Endpoint Details
Endpoint URL
Description
This endpoint will revoke the user's access tokens, refresh tokens, and SSO sessions for all devices, except for the session related to the provided token unless otherwise specified.
- If the query parameter
deleteCurrentToken=true
is included, the current token will also be revoked.
Example Request
DELETE https://auth-dev.ciam.test/default/tokens?deleteCurrentToken=true
Behavior
-
Without Query Parameter (
deleteCurrentToken
not provided):
Revokes all tokens and sessions except the one related to the provided access token. -
With Query Parameter (
deleteCurrentToken=true
):
Revokes all tokens, including the current session token.
Use Case Workflow
-
Scenario:
- The user is logged in on devices A, B, and C.
- The user changes their password on device A.
-
Action:
- The backend triggers the new endpoint to revoke tokens for devices B and C.
-
Outcome:
- The tokens for devices B and C are invalidated.
- The user must log in again with the new password on those devices.
Conclusion
The new /tokens
endpoint provides an efficient solution to enforce session invalidation across all devices when a user changes their password. This improves security and ensures a consistent experience across devices.
Comments
Please sign in to leave a comment.