Allow admins to log users out of all box sessions or api for revoking tokens
Admins would like to have the ability to force a log out from all devices and sessions. This could be for:
- User termination
- User's SSO credentials compromised (attacker could grant access to a third party app, which keeps a session alive even if sso credentials are reset)
On an API perspective, there could be an endpoint which destroys all tokens for a user, and it would require "manage users" from an admin perspective.
This possible today by logging in as user and blowing away all sessions.
It's NOT possible to logout all existing sessions if you have not upgraded your Box account to a paid account. Logging out all existing sessions should be a feature that's available to all users regardless if it's a free account or a paid account since this is a standard security feature.
Actually, the API call to invalidate tokens is not an existing feature and is needed!