Allow admins to log users out of all box sessions or api for revoking tokens
Admins would like to have the ability to force a log out from all devices and sessions. This could be for:
- User termination
- User's SSO credentials compromised (attacker could grant access to a third party app, which keeps a session alive even if sso credentials are reset)
On an API perspective, there could be an endpoint which destroys all tokens for a user, and it would require "manage users" from an admin perspective.
This possible today by logging in as user and blowing away all sessions.
3 commentsComments are closed
Colo Host commented
lol, the fact that an admin can't log out a user whose potentially had their account compromised is about the dumbest thing I've run into so far.
It's NOT possible to logout all existing sessions if you have not upgraded your Box account to a paid account. Logging out all existing sessions should be a feature that's available to all users regardless if it's a free account or a paid account since this is a standard security feature.
Actually, the API call to invalidate tokens is not an existing feature and is needed!