Hi Sathya, I think it would be better to do this with a application mgt listener rather than doing this at the validation time. We can use a "ApplicationMgtListener.doPostUpdateApplication()"[1] implementation and invalidate all the tokens issued to users from other tenants when the application is updated.
[1] https://github.com/wso2/carbon-identity-framework/ blob/master/components/application-mgt/org.wso2.carbon.identity.application. mgt/src/main/java/org/wso2/carbon/identity/application/mgt/listener/ AbstractApplicationMgtListener.java#L43 On Mon, May 8, 2017 at 7:03 PM, Sathya Bandara <sat...@wso2.com> wrote: > Hi All, > > This is in relation to issue [1] which happens when using a valid access > token issued to a SaaS enabled application (application in a separate > domain. User from another tenant domain). After disabling SaaS, it is still > possible to use the same access token to access the UserInfo endpoint for > this user from another tenant. Also it is possible to obtain a new access > token for the saas-disabled application by using the issued refresh token > for a different tenant user. > > For this I have added functionality to validate tenant domain and to check > if the SP is SaaS enabled before granting access to the userInfo endpoint. > It is evident that we should revoke the refresh token such that user is not > permitted to obtain further access tokens for the application. In addition > to this is it required to invalidate the already-issued access token? > > Appreciate your help on this. > > [1] https://wso2.org/jira/browse/IDENTITY-4981 > > Best regards, > Sathya > > -- > Sathya Bandara > Software Engineer > WSO2 Inc. http://wso2.com > Mobile: (+94) 715 360 421 <+94%2071%20411%205032> > > <+94%2071%20411%205032> > -- *Pulasthi Mahawithana* Senior Software Engineer WSO2 Inc., http://wso2.com/ Mobile: +94-71-5179022 <+94%2071%20517%209022> Blog: https://medium.com/@pulasthi7/ <https://wso2.com/signature>
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev