Hi,
When a refresh token is created, the user it's linked to is unkown and in the database 'auth_user_id' is 0 (annonymous).
I've spend some time trying different things but I cannot find a way how to delete someone's refresh token. I have a button on a users account page to revoke all tokens, this works for the auth_code and access_tokens but not the refresh token. Which mean they can just request a new access_token.
How can I remove a specific user's refresh token when there is no link to any uid? I know the information is inside the refresh_token but I can't decrypt it outside of the simple_oauth module. The use case is when a users phone is stolen, we need to force the user to login again.
SanderJP
Closed: duplicate
5.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.