There is a requirement in our application: When users change their password, all other logins (from other devices or computers) should be re-authenticated (except for the current user's session).
I read below (link provided below and cited the paragraph which is relevant) and got the idea: revoke all the tokens for a user.
But Not sure how to implement this (revoke all tokens). We are using Jersey and OAuth2.
Does revoking tokens means remove existing access token/refresh token from session and cookie. Then replace with new tokens?
Thanks
[Best practice for REST token-based authentication with JAX-RS and Jersey] Best practice for REST token-based authentication with JAX-RS and Jersey
Handling token revocation with JWT
If you want to revoke tokens, you must keep the track of them. You don't need to store the whole token on server side, store only the token identifier (that must be unique) and some metadata if you need. For the token identifier you could use UUID.
The jti claim should be used to store the token identifier on the token. When validating the token, ensure that it has not been revoked by checking the value of the jti claim against the token identifiers you have on server side.
For security purposes, revoke all the tokens for a user when they change their password.
