Revoking OAuth tokens in Mule

1
votes

I have configured a OAuth provider in Mule using the OAuth connector, and I give out access tokens to users as and when they login, they get a new access token for each device they login with, my question is what is the best thing to do when a user enters in a forgot password or reset password scenario ?

In this case he wants to revoke access to all the devices which have been given access, so it basically implies revoking all the access token given out ... The answer here seems to suggest that the above is a valid approach, so now my question boils down to the best implementation technique in mule.

Mule does allow the revocation of tokens via <oauth2-provider:revoke-token /> but using it requires me to maintain a list of access token given out against each user, I am wondering if this is the only way to handle things in mule ?

1
oauth-2.0mule
Can you query the object-store to retrieve all the tokens associated with a resource owner? This is an EE module so I unfortunately can't check that for you...David Dossot
The OAuth component uses the objectMemory store internally and if we assume that we could get all token associated with a RO, do you reckon that would be enough, would'nt we need to have a list of tokens given out for a particular username ?Sudarshan
I will touch base with Mule support and see if I can get any updates on this in the meanwhile.Sudarshan
That's the best. I hope you can avoid to maintain such extra user -> token association and re-use something internal...David Dossot
Let us continue this discussion in chat.David Dossot

1 Answers

1
votes

This is what Mulesoft had to say for the query.

Unfortunately, current code does not have(or expose) the methods to:

  • revoke all tokens granted to a user
  • get all tokens granted to a user

They have decided to log an enhancement for this and that will take its due course, will update the answer with a link once I have it. Here goes the issue link

The way I have implemented this in the pass is to use the objectstore to main a list of token issued against a given username, this list will need to be appended to with a new token each time a user logins.

If the user initiates a password reset or forgot password flow then pull all the token against the user and invoke <oauth2-provider:revoke-token /> for each token.

Do let me know if you have any suggestions on the above.