Hello everyone,
Is there a way to revoke a refresh...
# talk-hydraq
quiet-shoe-2375
08/23/2023, 3:38 PMHello everyone,
Is there a way to revoke a refresh token(s) for a user issued to any apps/clients without having the client secret for any of the apps (maybe via admin endpoint).
We still want to retain the consent but just invalidate refresh tokens that may have been issued to any app(s) on behalf of the user in order to force users to provide password to get token and API access.
Appreciate your thoughts and suggestions.
m
magnificent-energy-493
08/23/2023, 6:51 PM
Hey Sagar, its been a while!
Are you using Ory in production now?
magnificent-energy-493
08/23/2023, 6:52 PM
As for your question:
Yes, you can revoke user consent for all OAuth2 clients using the Ory SDK. This will automatically revoke all related access and refresh tokens. However, please note that this method should not be used to invalidate user sessions. Here is a code snippet for revoking user consent for all OAuth2 clients:
Copy code
import { Configuration, OAuth2Api } from "@ory/client"
const ory = new OAuth2Api(
new Configuration({
basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`,
accessToken: process.env.ORY_API_KEY,
}),
)
export async function revokeConsent() {
const { data } = await ory.revokeOAuth2ConsentSessions({
subject: "some-user-id",
all: true,
})
}subjectalltrueq
quiet-shoe-2375
08/23/2023, 9:12 PMThank you for your suggestions @magnificent-energy-493. Yes we are using Ory Hydra in production env now. I think we don’t want to call remove consent because if in future user tries to login he will need to go through the consent authorization again, which we intend to show only on first login and then remember the consent. Scenario in which we want to remove this refresh token is when user’s account is disabled or user’s password is changed so as to force them to login & authenticate again on the external 3rd party apps.