Delete refresh tokens from the user profile page

Created on 15 March 2018, about 7 years ago

Updated 26 February 2025, about 1 month ago

Hi,

When a refresh token is created, the user it's linked to is unkown and in the database 'auth_user_id' is 0 (annonymous).
I've spend some time trying different things but I cannot find a way how to delete someone's refresh token. I have a button on a users account page to revoke all tokens, this works for the auth_code and access_tokens but not the refresh token. Which mean they can just request a new access_token.

How can I remove a specific user's refresh token when there is no link to any uid? I know the information is inside the refresh_token but I can't decrypt it outside of the simple_oauth module. The use case is when a users phone is stolen, we need to force the user to login again.

SanderJP

✨ Feature request

Status

Closed: duplicate

Version

5.0

Component

Code

Created by

🇳🇱Netherlands SanderJP

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment about 1 month ago →
🇳🇱Netherlands bojan_dev
Fixed in #2974963: Link refresh tokens to the user they will identidy for query filtering → .

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024