I have configured a OAuth provider in Mule using the OAuth connector, and I give out access tokens to users as and when they login, they get a new access token for each device they login with, my question is what is the best thing to do when a user enters in a forgot password or reset password scenario ?
In this case he wants to revoke access to all the devices which have been given access, so it basically implies revoking all the access token given out ... The answer here seems to suggest that the above is a valid approach, so now my question boils down to the best implementation technique in mule.
Mule does allow the revocation of tokens via <oauth2-provider:revoke-token /> but using it requires me to maintain a list of access token given out against each user, I am wondering if this is the only way to handle things in mule ?
This is what Mulesoft had to say for the query.
They have decided to log an enhancement for this and that will take its due course, will update the answer with a link once I have it. Here goes the issue link
The way I have implemented this in the pass is to use the objectstore to main a list of token issued against a given username, this list will need to be appended to with a new token each time a user logins.
If the user initiates a password reset or forgot password flow then pull all the token against the user and invoke
<oauth2-provider:revoke-token />for each token.Do let me know if you have any suggestions on the above.