This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Verify access token policy should fail if token is revoked, but it passes/fails on alternate calls for revoked access token.

Posted on 03-13-2016 09:16 PM
Not applicable
Reply posted on --/--/---- --:-- AM 
Revoking by:

<OAuthV2 name="DeleteAccessToken">
    <Operation>InvalidateToken</Operation>
    <Tokens>
        <Token type="accesstoken" cascade="true">access_token</Token>
    </Tokens>
</OAuthV2>


Verifying by:

<OAuthV2 async="false" continueOnError="false" enabled="true" name="VerifyAccessToken">
    <DisplayName>VerifyAccessToken</DisplayName>
    <FaultRules/>
    <Properties/>
    <Operation>VerifyAccessToken</Operation>
</OAuthV2>
Solved Solved
2 3 228
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

By default access tokens and other entities such Developer, App, Application keys etc are cached in memory for 3 min. Edge platform is distributed in nature so there are multiple runtime components active at a time who might have cached the token locally. Hence the behavior you are seeing. But you should not see that behavior after 3 min. Are you still seeing it ?

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
willwitman
Staff
Reply posted on --/--/---- --:-- AM

Hi,

Just checking, but are you sure that the token you are revoking is actually in the flow variable called "access_token"? Typically, you'd pull it from a query parameter or header variable on the request, like this, where "access_token" is the name of the query param or header:

request.queryparam.access_token

or

request.header.access_token
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

By default access tokens and other entities such Developer, App, Application keys etc are cached in memory for 3 min. Edge platform is distributed in nature so there are multiple runtime components active at a time who might have cached the token locally. Hence the behavior you are seeing. But you should not see that behavior after 3 min. Are you still seeing it ?

Jump to Solution

Posted on --/--/---- --:-- AM
Not applicable
In response to
Reply posted on --/--/---- --:-- AM

Hi,

Thanks for this useful detail.

I experience exactly the same behavior. Tokens revocation acts like a "logout" button, so this is a security issue for us since we expect that a "logout" button immediately disconnects users.

Is there a way to immediately invalidate tokens on all runtimes ?

Jump to Solution
0 Likes