I implement an authentication following OAuth 2.0(Resource Owner Password Credentials Grant). Should I invoke user when the user changes the password?
0
votes
1 Answers
0
votes
In this Resource Owner Password Credential Grant, you need not to revoke the user when he changes the password. The reason is whenever the user changes the password the authorization server will get updated with the new password and when the user logs in the next time after changing the password the new password will be matched for the user and the token will be granted only if the password matches. I think the token provided while changing the password need not get revoked as well as it was granted with the correct client credentials.
The only thing is when the user logs out the next time we need to make sure that the password is updated in the authorization server and token is granted against the new password.
