WSO2 IS - SCIM2 Invalid Token after PATCH

Question

I am trying to figure out if the following behavior is the expected. In my case, I am logged in as a user with username: testuser

I make a PATCH request from my Blazor SPA to the following URL https://myidentityserver/scim2/Me. This is the location the WSO2 IS is located.

The PATCH request,containing a password change and some other patched info,completes successfully and Status Code:200 OK is returned.

Immediately after the aforementioned PATCH request, a call to https://myidentityserver/oauth2/token is made and Status Code: 400 is returned containing the grant_type: refresh_token, client_id: myid, refresh_token:xxxxxx, meaning that the token is invalid.

In my understanding this is the expected behavior as the information that were present in the token have now been altered due to the PATCH and token should be invalidated.

WSO IS version: 5.11.0

Answer 1

The default behavior of IS is when the password is updated by the user, all the sessions are terminated, and all the tokens are revoked.

However, there is an option to skip the current session/token from being terminated/revoked at password update. In order to enable that feature, you need to add the following config in <wso2is-5.11.0-home>/repository/conf/deployment.toml file and restart the server.

[identity_mgt]
password_update.preserve_logged_in_session=true

Refer to the git issue for more details:

https://github.com/wso2/product-is/issues/9461

Answer 2

Answering my own question that I made in the comments

The answer was provived from the relevant WSO2 IS slack chat

'As per the question, the PATCH request contains a password change also. So in that case the exiating sessions will be invalidated as you mentioned. But for other claim updates which will be done from SCIM2 will not invalidate the existing sessions'