The number of tokens a user can have for any OIDC/OAuth application is limited to 50. This applies to Userinfo Access Tokens and JWT Access Tokens issued with a Refresh Token. Once the limit is reached, the oldest token (based on when it was last issued) is removed. For a description of the different OIDC and OAuth tokens, see Integrate OpenID Connect and OAuth Cloud applications.
When an authorization request is made by the OIDC/OAuth client application and it creates an access token through the authentication flow, Identity as a Service tracks the token for future use (for example, obtaining Userinfo data or refreshing the token). An administrator can view the tokens and revoke them either individually in the User Details page or all the user’s tokens in the Token List page.
Topics in this section:
● Revoke OIDC and OAuth tokens