Revoking by: <OAuthV2 name="DeleteAccessToken"> <Operation>InvalidateToken</Operation> <Tokens> <Token type="accesstoken" cascade="true">access_token</Token> </Tokens> </OAuthV2> Verifying by: <OAuthV2 async="false" continueOnError="false" enabled="true" name="VerifyAccessToken"> <DisplayName>VerifyAccessToken</DisplayName> <FaultRules/> <Properties/> <Operation>VerifyAccessToken</Operation> </OAuthV2>
Solved! Go to Solution.
By default access tokens and other entities such Developer, App, Application keys etc are cached in memory for 3 min. Edge platform is distributed in nature so there are multiple runtime components active at a time who might have cached the token locally. Hence the behavior you are seeing. But you should not see that behavior after 3 min. Are you still seeing it ?
Hi,
Just checking, but are you sure that the token you are revoking is actually in the flow variable called "access_token"? Typically, you'd pull it from a query parameter or header variable on the request, like this, where "access_token" is the name of the query param or header:
request.queryparam.access_token
or
request.header.access_token
By default access tokens and other entities such Developer, App, Application keys etc are cached in memory for 3 min. Edge platform is distributed in nature so there are multiple runtime components active at a time who might have cached the token locally. Hence the behavior you are seeing. But you should not see that behavior after 3 min. Are you still seeing it ?
Hi,
Thanks for this useful detail.
I experience exactly the same behavior. Tokens revocation acts like a "logout" button, so this is a security issue for us since we expect that a "logout" button immediately disconnects users.
Is there a way to immediately invalidate tokens on all runtimes ?
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |