How do I retrieve access tokens for specific end u...

mstellinga · 02-15-2017 10:55 AM

My team and I are currently trying to implement a revoke feature for refresh tokens generated by Apigee. We want to create an API proxy endpoint that retrieves the end user ID from the provided access token, then finds all the access tokens related to that used ID, and finally revokes all of them.

I was reading http://docs.apigee.com/management/apis/get/organizations/%7Borg_name%7D/oauth2/search which says 'For example, you may wish to provide a way for users to discover which third-party apps they've authorized and to revoke their own access tokens for those apps.'

We are trying to do exactly that. However, the search API on that page is a management API, which requires organization administrator credentials.

How do I call the '/oauth/search' API from an API proxy?

Or, is there another way to retrieve all the access tokens for a specific end user ID in an API proxy?

naggc

Just quickly reading thru, this is not an out of box functionality but can be added on. You can either add this or just custom create attributes as metadata on the token creation and retrieve it during the flow or via API.

http://docs.apigee.com/api-services/content/customizing-access-tokens

http://docs.apigee.com/api-reference/content/enable-retrieval-and-revocation-oauth-20-access-tokens-...

There is no field for end user ID in the default OAuth access token. To enable retrieval and revocation of OAuth 2.0 access tokens by end user ID, you have to configure the OAuth 2.0 policy to include the user ID in the token, as described in the procedure below. Note that if you only want to retrieve and revoke OAuth 2.0 access tokens by app ID, then there is no need to enable access by end user ID.

Hope that helps

How do I retrieve access tokens for specific end user IDs from an API proxy?