Revoke OAuth2.0 access token/refresh token

This topic has 6 replies, 4 voices, and was last updated 6 years, 5 months ago by suhaibmustafa.

  • Author
    Posts
  • #5764
     suhaibmustafa
    Participant

    Hi All,

    I was trying to implement OAuth2.0 APIs using OpenAM and found some issues while working on revoke token.
    As per my understanding revoke token API should
    1. Should revoke the given access token, if access token is passed
    2. Should revoke the refresh token as well as all the access token associated with that refresh token, if refresh token is passed.

    But I found that OpenAM is behaving in this way:
    1. If access token is passed then, it is revoking the access token as well as the refresh token associated with that access token.
    2. If refresh token is passed then, it is revoking only the refresh token. If I get multiple access tokens using this refresh token, all the access tokens are still valid.

    To revoke a token I was using this API: /frrest/oauth2/token/<token-id>?_action=revoke

    If my understanding of the API is correct then how I can achieve the same with OpenAM.

    Any help on this is highly appreciated.

    #5789
     ssripathy
    Participant

    It may very well be a bug based on your tests. But, what is the use case you are trying to achieve with these revocations? I guess, I have never needed to revoke access or refresh tokens unless an app that was granted to went away. Plus, you could set shorter expiration times on access token if needed.
    Have you looked at OpenID Connect for your use cases, as its more suited to such end user session management use cases?
    My 2 cents.

    #5794
     suhaibmustafa
    Participant

    Hi Sripathy, I am looking at a use case where user has granted access to an app in multiple devices that he is using(like mobile, tablet etc) and now he wants to revoke access from one of the device and is trying to uninstall the app. So in this case only the access/refresh token from that device should be revoked and other tokens which are being used by other devices should still valid.

    #5807
     ssripathy
    Participant

    Hi,
    Based on what you mentioned each device would be a client with a separate client creds and refresh/access tokens. Upon that device being removed from the relationship, wouldn’t it be easier to do the client delete?
    curl \
    –request DELETE \
    –header “iplanetDirectoryPro: AQIC5wM…3MTYxOA..*” \
    https://openam.example.com:8443/openam/frrest/oauth2/client/myClient

    I guess that would be the next best thing to the challenge you are facing with deleting a refresh token. Although, just deleting the refresh token should still be enough as even if the access tokens are alive they are short lived.

    #6970
     yogeshmsharma
    Participant

    I also want similar stuff. can you provide detail command to revoke it.

    for me it is giving unautorized

    curl –request POST –user “myClientID:password” –data “grant_type=password&username=yogesh&password=yogesh132&scope=cn” http://openamagent.example.com:7020/openam/frrest/oauth2/token/eb28495a-af65-4fec-a604-75f13ad2e8b9?_action=revoke

    OUTPUT
    {“code”:401,”reason”:”Unauthorized”,”message”:”Access Denied”}

    #7008
     Peter Major
    Moderator

    Note that OpenAM doesn’t implement RFC 7009 currently, and even so, revoking access tokens when a refresh token is presented is only a SHOULD in that spec. You can find the RFE for RFC7009 support at:
    https://bugster.forgerock.org/jira/browse/OPENAM-7146

    #9425
     suhaibmustafa
    Participant

    Hi Yogesh, for revoking use DELETE method and amadmin token instead of POST and clientid/secret.

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?