As a Jira administrator I would like that OAuth tokens are removed when a user is disabled (inactive)

Problem Definition

External applications integrated to Jira through Application Links can make calls on-behalf of users when authorized to, making use of OAuth tokens.

The access token persists for 5 years, unless it is revoked.
Revoking an OAuth access token is an action that can be performed solely by the user who owns this token, which is described in Allowing OAuth access.

When an user is inactivated (disabled), their OAuth tokens aren't revoked by default.
Although requests made with this token won't get through the application permissions (authorization validation), it would be good to have them deleted.

Suggested Solution

When users are disabled, revoke/delete all of their OAuth access tokens.

Workaround

1. Identify the OAuth tokens associated to inactive users.

   select au.lower_user_name, ot.token
   from oauthsptoken ot
   join app_user au on au.user_key=ot.username
   join cwd_user cu on cu.id=au.id
   where cu.active = 0
   and ot.token_type='ACCESS'
   ;
   

2. Delete OAuth tokens associated to inactive users.

   DELETE FROM oauthsptoken
   WHERE ID IN (
   	select ot.id
   	from oauthsptoken ot
   	join app_user au on au.user_key=ot.username
   	join cwd_user cu on cu.id=au.id
   	where cu.active = 0
   	and ot.token_type='ACCESS'
   );