We have a ReactJS SPA in which we have given user the functionality to change password. For this, we use Management API via backend to send a password reset link. On resetting the password, it should invalidate all active sessions and ask the user to log back in by entering credentials.
I have read many SO questions but didn’t got the answer I am looking for. General pattern of answers is to use a ‘Change-Password’ webhook and invalidate all refresh tokens or unauthorize application for the user.
One similar question is this
This redirects here on how to revoke refresh tokens. For revoking with authentication API, it asks to send a POST request to
/oauth/revoke endpoint. This we can do it in webhook but one of the parameters of this POST request is refresh token itself. In case of
Post-Change Password webhook, we don’t get refresh token as argument.
Can someone please guide me into this?
@dan.woda Can you please help?
Thanks In Advance