4

I have a server which protects its api with an ouath2 authentication.

The scenario:

  1. User asks for a token (password flow).
  2. User deactivates\deletes its account.
  3. The token is still valid (I know that its possible to invalidate token but there is another scenario where user generates tokens from 2 different clients (browser\mobile) or 2 different browsers -> receives two valid tokens -> impossible to invalidate 2 different token so one is still valid).

How should I protect my API from a valid token that it's owner isn't relevant anymore?

  1. Should I invalidate all tokens related to the user in the account deactivation\deletion moment? Not sure if its a good idea to store in the database all user's tokens.
  2. Should I check that the user is still active for every operation after token verification? Its a big overhead for such an end case.

*In a situation where all user's related data is being deleted as well there is no problem (the api's response will be empty), but there are cases where this data isn't being deleted.

Thanks!

borisirota
  • 41
  • 1
  • 2

1 Answers1

0

You can reduce the lifetime of access tokens and use them in combination with refresh tokens. Your information will only ever be as stale as the lifetime of the access token so set it to whatever you think is acceptable, at the cost of your clients having to go back to the Authorization Server to get a new access token (this is where the deleted account check takes place). See: Why Does OAuth v2 Have Both Access and Refresh Tokens?.

Community
  • 1
  • 1
Hans Z.
  • 50,496
  • 12
  • 102
  • 115