How to detect and purge disused OAuth 2.0 clients

Identity providers with open client registration can potentially accumulate a large number of OpenID relying parties that are no longer used. Unused OAuth 2.0 clients take up database space, so it's good practise to purge them periodically.

Create a simple service with a database that keeps track of when a given client was last issued with an ID or access token. This can be a simple key value store where the keys are the client_ids and the values a timestamp (Unix epoch) of the last token issue event.

client_id last_use
phohgh5r 1561699244
rahcha4u 1561903221
eix1juax 1561697101

Create a Connect2id plugin that listens for token issue events and for each minted ID or access token pass the client_id and the time to the accounting service. We recommend you use a message queue to pass the events.

If your Connect2id server is deployed in the AWS cloud we have a ready AWS SQS plugin for you. It can be configured to pass the events as a simple JSON object containing the client_id and the token iat (issued-at timestamp).

  "client_id" : "phohgh5r",
  "iat"       : 1561699244

The accounting service will then run a periodic task that scans the currently registered clients and if it finds one with last_use older than the acceptable age, or without a key in the database, it can then delete it.