How to detect and purge disused OAuth 2.0 clients
Identity providers with open client registration can potentially accumulate a large number of OpenID relying parties that are no longer used. Unused OAuth 2.0 clients take up database space, so it's good practise to purge them periodically.
Create a simple service with a database that keeps track of when a given client
was last issued with an ID or access token. This can be a simple key value
store where the keys are the
client_ids and the values a timestamp (Unix
epoch) of the last token issue event.
Create a Connect2id plugin that listens for token issue
events and for each minted ID or
access token pass the
client_id and the time to the accounting service. We
recommend you use a message queue to pass the events.
If your Connect2id server is deployed in the AWS cloud we have a ready AWS
SQS plugin for you.
It can be configured to pass the events as a simple JSON object containing the
client_id and the token
iat (issued-at timestamp).
"client_id" : "phohgh5r",
"iat" : 1561699244
The accounting service will then run a periodic task that scans the currently
registered clients and if it finds one
last_use older than the acceptable age, or without a key in the database,
it can then delete it.