Solved: Revoke existing end user oAuth 2.0 access tokens f...

writetorajeshku · 02-15-2023 05:04 AM

Hi Team,

I've a password change use case wherein we require to revoke all oAuth 2.0 access token generated to end user before requesting password change service for session state management and device/channel logout.

I found Apigee Edge management API to revoke all access toke generated for a specific APP_USER_ID but not sure if its advisable to use management API in a proxy for this use case, could you please advise on this?

@dknezic @Sanil

dknezic

You might want to think through impact to your API consumer/use case if the call fails, or eventually times out.. and also what this means in terms of your business requirement.

View solution in original post

dknezic

Apigee X supports revocation via policy which would solve this https://cloud.google.com/apigee/docs/api-platform/reference/policies/revoke-oauth-v2-policy#revoke-b...

Assuming you're using OPDK/Edge, I'm not aware of another way other than Management API. Presumably you could do this with a fire and forget call and given there's no SLA on Management API, you may need to also assume there's no guarantee the call will execute successfully.

writetorajeshku

Thanks for your response.

Yes, I am using OPDK/Edge. Management and MPs servers are provisioned in same n/w so what if we use synchronous call rather using the async call?

dknezic

You might want to think through impact to your API consumer/use case if the call fails, or eventually times out.. and also what this means in terms of your business requirement.

writetorajeshku

Thanks for insights.

Revoke existing end user oAuth 2.0 access tokens for password change