Extend the oauth2 admin api to allow token revocation

Hi,

We’ve started to use the Kong OAuth 2.0 plugin to manage our tokens and oauth workflows, however, there is one feature that we required but missing in the admin API.

I believe the token revocation is an important security measure when you need to lock somebody out from your system for good. We pass the autenticated_userid to Kong during token creation in order to record the user identity, and we would like to be able to delete all the tokens attached to a single authenticated_userid.

Then I tried to follow the instruction here, but then I have some questions:

  1. Since the DAO methods are generated, is it possible to select/delete multiple records? AFAIK, the select_by or delete_by can’t do that as the autenticated_userid is not unique;
  2. If the provided DAO helpers can’t help me, then what do you suggest us to extend the admin api to support this feature?

Thanks in advance!