How to invalidate access token?
It's not possible to invalidate tokens.
what about to change the password of the user's token?
A token is an alternative to password, so changing the password doesn't affect the token.
Anton, can you elaborate on why there's no option to invalidate the tokens?
If a token can have a very far away expiration date, its very risky to not have a way to invalidate the token, if at any moment before the token expires, it gets compromised, basically you are saying that there's no way to prevent a miss use, basically account is compromissed and there's nothing the user can do, not even changing password. So then what? the user is pretty f*d up. What should she/he do? make a new account and delete the old one or what? thanks for your explanation in advance.
This is indeed quite a shortcoming and a security issue. Also, it appears if someone logs in with a token they can generate a token with a further expiry time. It does feel like the token system up to version 5.2 was much more fit for purpose than the new reworked one where the system neither knows what tokens exist nor has any control over them...
it appears if someone logs in with a token they can generate a token with a further expiry time
This is not the case if you're using the latest version.
Thanks. I am using 5.12 and I still get a Preferences menu to generate tokens... However the tokens will be the same if I try to generate past the expiry of the original token. Is that what you mean? I guess that solves this security problem, but is rather confusing for the end user. Why can the Tokens menu not be removed altogether if one logs in with a token? And revoking tokens also seems essential if for example a token is leaked somewhere etc.
Could you perhaps explain what led to this redesign of the token system, which used to work perfectly fine before 5.3 and could have easily been extended with expiry dates if that was the driver?
We need to support tokens for a lot of different things now. For example mobile app login, notifications etc. So one single user controlled token doesn't work for it. That was the main reason.
I see. Thank you, that makes sense. Perhaps in the future something can be added to allow invalidation and remove the menu for users who login with token to issue other tokens (even if only just for ones within the validity period of the original token).
I recommend submitting a feature request or if there's already one comment on it to express interest.
OK!
If a token is created for example with an expiry date of 1 year, but after a short time the user want to invalidate this specific token, how the user can do so?