I have a basic flow that uses AngularJS SPA and a OpenIdConnect Identity Provider. The server I am using is IdentityServer3 but this should be the same everywhere as it is a specification. I would like to know how this flow works.
The Idp has a DB that it is configured to use. In the case of IdentityServer3 it is specified in the ServiceFactory
Implicit Flow
SPA contacts the Authorize endpoint specifying a redirect URI.
The IdP authorizes after checking the specifics and redirects to the specified URI. Now we have an access token in the browser.
- Now the user changes her password. This password is updated in the DB. At this point even though the password is updated in the DB that IdentityServer3 connects to, the token is still old.
- In this step there could be a way to invalidate or issue a new token because the password has changed.
So until we invalidate this token using some facility mentioned in the spec. the Idp does not recognize that the password has changed.
Is this explanation correct ? Do I need to do anything else to indicate to the Idp that the password has changed ? There is no endpoint in OpenIdConnect/OAuth to change passwords. Right ?
I am asking elaborately because I want to understand this key flow before discussing with our technical team. Seems to be fundamental.