I am trying to figure out if the following behavior is the expected.
In my case, I am logged in as a user with username: testuser
I make a PATCH request from my Blazor SPA to the following URL https://myidentityserver/scim2/Me. This is the location the WSO2 IS is located.
The PATCH request,containing a password change and some other patched info,completes successfully and Status Code:200 OK is returned.
Immediately after the aforementioned PATCH request, a call to https://myidentityserver/oauth2/token is made and Status Code: 400 is returned containing the grant_type: refresh_token, client_id: myid, refresh_token:xxxxxx, meaning that the token is invalid.
In my understanding this is the expected behavior as the information that were present in the token have now been altered due to the PATCH and token should be invalidated.
WSO IS version: 5.11.0
The default behavior of IS is when the password is updated by the user, all the sessions are terminated, and all the tokens are revoked.
However, there is an option to skip the current session/token from being terminated/revoked at password update.
In order to enable that feature, you need to add the following config in <wso2is-5.11.0-home>/repository/conf/deployment.toml file and restart the server.
[identity_mgt]
password_update.preserve_logged_in_session=true
Refer to the git issue for more details: