Revoke all the refresh token issued to the user during resetpassword

This topic has 7 replies, 4 voices, and was last updated 3 years ago by sahoob.

  • Author
  • #21524


    We want to invalidate all the access token and refresh token issued to the user during reset password and change username.
    I am able to locate the token on opendj by below query. But do we have any factory class from where i will get the opendj connection object from openam for configuration store.

    ./ldapsearch -h localhost -p 50389 -D “cn=Directory Manager” -w cangeit -b “ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org” “(&(coreTokenString03=demo)(coreTokenString09=myClientID)(!(coreTokenString10=access_code)))” coreTokenString10

    I am looking into below, but its returning user store details.

    AMIdentity amIdentity = null;
    amIdentity = AuthD.getAuth().getIdentity(IdType.USER, userName,
    IdSearchResults searchResults = this.amIdentityRepo
    .searchIdentities(IdType.USER, this.userName, idsc);

    Does anyone have the sample code to connect to opendj and retrieve the above token details from config store or CTS store? I don’t want to manage the opendj connection with in mycode, if we have any connection factory available on openam code, that I can user then its will be very helpful.

    Biswajit Sahoo


    Hi Biswajit,

    Have you tried the token administration endpoints provided by openam?
    there are endpoints to query the existing tokens for a username and a revoke specific token.
    you can find more details on OAuth2 guide:


    Thanks ,

    We are using openam 13.5.0 the endpoint (/frrest/oauth2/token) depend on amadmin token and it has some defect associated to it.

    So we thought we will directly fetch the details from Dj for the user and use revoke endpoint to revoke the details.

    Do you know any of the class which connect to opendj with basedn of config store from openam?




    I have got the code to get the read the tokens , but its returning just DNs. Can anyone point out what is the wrong I am doing here?

    Set<String> dns =, “ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=org”, “(&([email protected])(coreTokenType=OAUTH)(!(coreTokenString10=access_code)))” , 0, 0, false, false);
    This just returning the list of DNs (coreTokenId=c9484576-9de9-44a4-8dd9-e4cbeefe62de,ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=org)

    If I do as follow also its returning DNs

    Iterator dns1 =, “ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=org”, “(&([email protected])(coreTokenType=OAUTH)(!(coreTokenString10=access_code)))” , 0, 0, false, false, null);

    Result : SearchResultEntry(name=coreTokenId=c9484576-9de9-44a4-8dd9-e4cbeefe62de,ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=org, attributes=[], controls=[])

    If I am running the command on Dj its showing other attributes

    ldapsearch -h localhost-p 1389 -D “cn=Directory Manager” -w password -b “ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=org” “(&([email protected])(coreTokenType=OAUTH)(!(coreTokenString10=access_code)))”

    dn: coreTokenId=c9484576-9de9-44a4-8dd9-e4cbeefe62de,ou=famrecords,ou=openam-ses
    objectClass: top
    objectClass: frCoreToken
    coreTokenType: OAUTH
    coreTokenId: c9484576-9de9-44a4-8dd9-e4cbeefe62de
    coreTokenExpirationDate: 20180426132148.273Z
    coreTokenString10: refresh_token
    coreTokenString12: authorization_code
    coreTokenString01: uid,LifeTimeId,openid
    coreTokenObject: {“expireTime”:[“1524748908273″],”tokenName”:[“refresh_token”],”
    [email protected]”],”acr”:[]}
    coreTokenString07: Bearer
    coreTokenString08: /testpoc
    coreTokenString09: oauth2clientlong
    coreTokenString15: f236baed-aee8-4948-9d0b-ebd8de1f4f42
    coreTokenString03: [email protected]

    Please can anyone help me here.



    Try passing in an empty Set instead of null to the search


    That doesn’t help, So I have written my own class by extending the SMSLdapObject class and now I am able to get the details.



    Would you please tell me how you revoked the refresh token when the password changed?


    You need to capture all the Refresh Token from the DJ for that user and Revoke the to token by call revoke endpoint

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?