How to detect and purge disused OAuth 2.0 clients
Identity providers with open client registration can potentially accumulate a large number of OpenID relying parties that are no longer used. Unused OAuth 2.0 clients take up database space, so it's good practise to purge them periodically.
Create a simple service with a database that keeps track of when a given client
was last issued with an ID or access token. This can be a simple key value
store where the keys are the client_id
s and the values a timestamp (Unix
epoch) of the last token issue event.
client_id | last_use |
---|---|
phohgh5r | 1561699244 |
rahcha4u | 1561903221 |
eix1juax | 1561697101 |
Create a Connect2id plugin that listens for token issue
events and for each minted ID or
access token pass the client_id
and the time to the accounting service. We
recommend you use a message queue to pass the events.
If your Connect2id server is deployed in the AWS cloud we have a ready AWS
SQS plugin for you.
It can be configured to pass the events as a simple JSON object containing the
client_id
and the token iat
(issued-at timestamp).
{
"client_id" : "phohgh5r",
"iat" : 1561699244
}
The accounting service will then run a periodic task that scans the currently
registered clients and if it finds one
with last_use
older than the acceptable age, or without a key in the database,
it can then delete it.
Documentation
- Quick start
- Datasheet
- Configuration
- Standard endpoints
- Integration
- Guides
- Release notes
- Roadmap
-
Old versions
- Connect2id server 4.x
- Connect2id server 5.x
-
Connect2id server 7.x - 9.x
- Quick start
- Datasheet
- Configuration
- Standard endpoints
- Integration
-
Guides
- Run in Docker
- Deployment checklist
- FAPI checklist
- Non-localhost evaluation
- Two tier caching with Redis
- TLS termination proxy setup
- Global DynamoDB tables
- Multitenancy
- Data migration
- LDAP directory setup
- LDAP backend migration
- OpenLDAP schema update
- OpenDJ records migration
- Login page integration
- Logout UI integration
- OAuth scopes
- Access token
- eKYC / Identity Assurance
- Identity federation
- Identity federation in mobile apps
- User session timeouts
- Account switching
- Custom OAuth grants
- Client-based sessions
- Client registration
- Initial access token for client registration
- Client authentication
- OpenID Connect claims
- Pairwise subject IDs
- Load balancing and health checks
- Clustering in AWS
- Interpreting Infinispan / JGroups logs
- Monitoring
- Key login metrics
- Detect and purge disused clients
- Roadmap
- Connect2id server 6.x
- Connect2id server 2.x
- Connect2id server 3.x