Detect and purge disused clients
Identity providers with open client registration can potentially accumulate a large number of OpenID relying parties that are no longer used. Unused OAuth 2.0 clients take up database space, so it’s good practise to purge them periodically.
Create a simple service with a database that keeps track of when a given client
was last issued with an ID or access token. This can be a simple key value
store where the keys are the client_ids and the values a timestamp (Unix
epoch) of the last token issue event.
| client_id | last_use |
|---|---|
| phohgh5r | 1561699244 |
| rahcha4u | 1561903221 |
| eix1juax | 1561697101 |
Create a Connect2id plugin that listens for token issue
events and for each minted ID or
access token pass the client_id and the time to the accounting service. We
recommend you use a message queue to pass the events.
If your Connect2id server is deployed in the AWS cloud we have a ready AWS
SQS plugin for you.
It can be configured to pass the events as a simple JSON object containing the
client_id and the token iat (issued-at timestamp).
{
"client_id" : "phohgh5r",
"iat" : 1561699244
}
The accounting service will then run a periodic task that scans the currently
registered clients and if it finds one
with last_use older than the acceptable age, or without a key in the database,
it can then delete it.