Filter Token, which are assigned but user is not in UserIDResolver anymore


Hi there,

is there any possibility to filter all token, which are assigned, but the assigned user cannot be found in the given resolver anymore (without using usercache)?
I want to clean up the token-database, so that orphaned tokens of user, which do not belong to the vpn-ad-group anymore, can be deleted.
The GET /token - API does not allow the needed filters.

Kind regards



Hi Axel,

You can use the privacyidea-token-janitor tool for this task:
$ privacyidea-token-janitor find --orphaned 1
It also allows to delete the found tokens with --action delete.



Hello Paul,

just tested this tool and I it is awesome.
That was one main issue with the former LinOTP-Software, which resulted in various orphaned tokens. Janitor provides the exact solution(s) I needed.

Thank you very much and thumbs up for privacyIDEA and its tools.

Kind regards