Managing OIDC tokens

Edit online

A token is used to identify and authorize a user, an application, or an API client to access a protected resource. Each token has a configurable expiry attribute to limit the time of unauthorized access when the token is stolen or to determine how often a user can reauthenticate. When the token expires, the authorization is revoked. If you prefer an immediate action, review the applications and API clients with active tokens and revoke their tokens to remove the authorization and require reauthentication on the next access request.

Before you begin

  • You must have administrative permission to complete this task.
  • Log in to the IBM® Verify administration console as an Administrator.

About this task

Note:

When more than 1000 tokens exist, the tokens are not sorted. Use the filters to reduce the number of tokens that are returned.

You can perform the following tasks:
  • Revoke tokens.
  • Delete or reactivate tokens.

Procedure

  1. Revoking tokens.
    1. Select Security > OIDC tokens.
      The actual token values are not listed but each token is associated with the following information. You can filter the API client and application token view by resource, user, and source. You can select whether you want to view Active or Revoked tokens. Ensure that Active is selected.
      Table 1. Active token details
      Information Descriptions
      Resource

      The name of the API client, the OpenID Connect based application, or the identity source that is assigned with the token.
      User/Client ID

      It can be the client ID of the API client or the name and username of the user to whom this token belongs.
      IP Address

      The IP address that is associated to the device where the token is issued.
      Location

      The city, region, or country where the token is issued.
      Type

      Indicates the type of token that is generated for the authorization grant. The token can be an access token or a refresh token.

      An access token is used to authorize access to the protected resource. When the token expires or when it is revoked, access is denied.

      A refresh token is used to get a new access token to continue access to the protected resource.

      For more information about grants, see Grant types.
      Issued On

      The date and time when the access token is generated and issued to the requesting application or API client.
      Last Used The date and time when the access token is last used to verify the identity of the user, application, or API client.
    2. Choose from one of the following options:
      • Select the specific rows that correspond to the tokens that you want to revoke.
      • Select Select All to revoke all the active tokens that are issued by Verify. This option extends beyond what is visible on the page.
      • Search for a name, identity, or location whose token you want to revoke.
      The actions toolbar is displayed.
    3. Select Revoke.
    4. Confirm that you want to revoke tokens that are associated with your selections.
      The token is moved to the Revoked page.
  2. Deleting or reactivating tokens.
    Use this task if you want to remove a revoked token from the list before its retention time expires or want to reactivate a token that was revoked.
    1. Select Security > OIDC tokens.
      The actual token values are not listed but each token is associated with the following information. You can filter the API client and application token view by resource, user, and source. You can select whether you want to view Active or Revoked tokens. Ensure that Revoked is selected.
      Table 2. Revoked token details
      Information Descriptions
      Resource

      The name of the API client, the OpenID Connect based application, or the identity source that is assigned with the token.
      User/Client ID

      It can be the client ID of the API client or the name and username of the user to whom this token belongs.
      IP Address

      The IP address that is associated to the device where the token is issued.
      Location

      The city, region, or country where the token is issued.
      Type

      Indicates the type of token that is generated for the authorization grant. The token can be an access token or a refresh token.

      An access token is used to authorize access to the protected resource. When the token expires or when it is revoked, access is denied.

      A refresh token is used to get a new access token to continue access to the protected resource.

      For more information about grants, see Grant types.
      Disabled On

      The date and time when the access token was disabled.
      Retain Until The date and time when the access token is removed from the list of revoked tokens.
    2. Choose from one of the following options:
      • Select the specific rows that correspond to the tokens that you want to delete or reactivate.
      • Select Select All to delete or reactivate all the revoked tokens that are issued by Verify. This option extends beyond what is visible on the page.
      • Search for a name, identity, or location whose token you want to delete or reactivate.
      The actions toolbar is displayed.
    3. Choose the action that you want to perform.
      • Select Delete to remove the token.
      • Select Reactivate to move the token to the Active page.
    4. Confirm that action that you want to perform on the tokens that are associated with your selections.
      The tokens are removed from the list of revoked tokens. Tokens that are reactivated are moved to the active tokens page.