OAuth 2.0 Access / Refresh Token - works for deleted user

oauth

#1

Hello,

I've tested few cases about user deletion and it seems it doesn't work valid.

When I add new user to my portal, I'm able to login and I'm able to authorize him via OAuth 2.0 Access / Refresh Token API, all works well.

On the other hand, if I delete user, I'm not able to login any more and that's fine, but OAuth requests for Access / Refresh Token still work and I get data from the server like user is still active. Is there any way I can get information about user's status, whether he's deleted or active?

Thanks in advance,
Nikola


#2

Hi @nikolajovanovic,

When a user authorizes an integration, that integration is installed to the entire portal. Deleting the user that authorized the integration does not invalidate the refresh/access tokens created by the authorization process, since the integration is still installed in the portal. The only way to invalidate the access/refresh tokens is to uninstall the integration from the portal.