This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Passing revoked refresh token is not breaking the flow

Posted on 05-28-2018 07:06 AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi,

I have created a proxy to revoke access and refresh token. When I am passing the revoked access_token again to revoke, I have GetOAuthV2Info policy in flow which is throwing 'The access token has been revoked' error(I hope that's exacted behavior)

but while passing revoked refresh_token the GetOAuthV2Info policy is not throwing any error and I am able to get the info of revoked refresh_token. Although that refresh_token is already revoked as I am not able to generate the access_token using that refresh_token

Is this the expected behavior of GetOAuthV2Info policy in case of revoked refresh_token?

<GetOAuthV2Info name="GetOauthRefreshTokenID">

<RefreshToken ref="requestToken"></RefreshToken>

</GetOAuthV2Info>

1 2 206
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
markeccles-1
Staff
Reply posted on --/--/---- --:-- AM

Hi @Abhishek Tiwari,

This is the intended behavior. Note that the access token and refresh token will still remain in Cassandra for some time even after they have been revoked. The important thing is that the refresh_token_status field is 'revoked' for this refresh token that you have revoked.

Posted on --/--/---- --:-- AM
Not applicable
In response to markeccles-1
Reply posted on --/--/---- --:-- AM

Thanks Mark. 🙂

0 Likes