Add a way to forget all of a user's sessions (logins, apps, browsers, etc.) via the API
This feature is available. You can find more details on the API specs here: https://developer.box.com/reference/post-users-terminate-sessions/
Need option to sign out or clear all user logged in sessions via api and not from GUI. This will help to signout all user session when there is any security incident and also when user leave the company.
Colo Host commented
lol, the fact that an admin can't log out a user whose potentially had their account compromised is about the dumbest thing I've run into so far.
It's NOT possible to logout all existing sessions if you have not upgraded your Box account to a paid account. Logging out all existing sessions should be a feature that's available to all users regardless if it's a free account or a paid account since this is a standard security feature.
Actually, the API call to invalidate tokens is not an existing feature and is needed!
API method that resets or invalidates all session tokens for a specific user.
In some cases we are not able to delete or inactivate a user after they have been terminated. The user's iDP (active directory) login is been disabled, but session tokens in apps like Box Drive don't expire. We need the ability to programatically invalidate all access tokens for a user.
AdminJason Pan (Admin, Box) commented
Admins would like to have the ability to force a log out from all devices and sessions. This could be for:
- User termination
- User's SSO credentials compromised (attacker could grant access to a third party app, which keeps a session alive even if sso credentials are reset)
On an API perspective, there could be an endpoint which destroys all tokens for a user, and it would require "manage users" from an admin perspective.