{ Community }
  • Academy
  • Docs
  • Developers
  • Resources
    • Community Articles
    • Apigee on GitHub
    • Code Samples
    • Videos & eBooks
    • Accelerator Methodology
  • Support
  • Ask a Question
  • Spaces
    • Product Announcements
    • General
    • Edge/API Management
    • Developer Portal (Drupal-based)
    • Developer Portal (Integrated)
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Adapter for Envoy
    • Analytics
    • Events
    • Hybrid
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • 日本語コミュニティ
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Topics
    • Questions
    • Articles
    • Ideas
    • Leaderboard
    • Badges
  • Log in
  • Sign up

Get answers, ideas, and support from the Apigee Community

  • Home /
  • Edge/API Management /
avatar image
1
Question by Chris Covney · Apr 09, 2015 at 11:09 PM · 1.1k Views oauth 2.0policiesaccess tokenoauthaccesstoken

invalidate refresh token does not throw error when passed an access token

using the edge oauth V2 policies, ive exposed the refresh token invalidation aka revocation functionality via rest api.

the problem is that when i pass this policy an access token instead of a refresh token, it does NOT throw an error, when it absolutely should throw an error. For instance, when i pass in a random alpha numeric string, it appropriately throws an error, so it is indeed verifying the validity of the token. However, it appears that the policy is inappropriately referencing both access and refresh tokens when it shuold only reference refresh tokens.

here is my Invalidate refresh token policy code. you'll notice ive specified the token as "refreshtoken" per the documentation specs. for some strange reason, this policy is not throwing an error when it receives an access token.

<OAuthV2 name="revoke-refresh-token">
    <DisplayName>revoke-refresh-token</DisplayName>
    <Operation>InvalidateToken</Operation>
    <ExternalAuthorization>false</ExternalAuthorization>
    <SupportedGrantTypes/>
    <GenerateResponse enabled="true"/>
    <Tokens>
        <Token type="refreshtoken" cascade="true">request.foobar</Token>
    </Tokens>
</OAuthV2>
Comment
Add comment
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Close

2 Answers

  • Sort: 
avatar image
5
Best Answer

Answer by gnanasekaran · Apr 09, 2015 at 11:42 PM

the behavior is, if the Token type attribute is 'refreshtoken',

First we try to invalidate the refresh token, if the passed value is not the refresh token then we check if this could be a access token. If the passed value is a accesstoken, then the accesstoken is invalidated.

So, in your case I am expecting that the access token is also revoked? correct? that is also the reason why the policy throws errors for some invalid values and not for valid access tokens.

unfortunately, its not there in the document, will check on that - but can you confirm if you are seeing this behavior?

Also, can you pls tell us what is your usecase? maybe we could handle it differently

Thanks,

Comment
Add comment Show 6 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Chris Covney · Apr 10, 2015 at 03:44 PM 1
Link

Mukundha,

Thank you for this explanation. Yes, I am seeing this behavior (access token is revoked).

My use case is simple and generic. Essentially, I want the user/client to be able to revoke their own token and/or refresh token as a way of "logging out" for security reasons. Do you need any more details?

I have noticed that once the refresh token is revoked, I can still pass the refresh token to the policy and it will revoke it again and again and again. It does not seem to realize that it's revoked. I've confirmed that the refresh token is invalidated because it is not accepted by the refresh token policy, but for some reason the invalidate does not treat the invalidated refresh token as invalidated. Any ideas here? I even passed a refresh token that was invalid for 12 hours and the policy still invalidated it as if it were not already invalidated. Strange behavior there, but not all that harmful. Misleading perhaps.

Thanks a lot, Mukundha!

avatar image gnanasekaran ♦ Chris Covney · Apr 10, 2015 at 04:18 PM 2
Link

Hi Chris,

Yes you are right. The policy does not throw errors for already invalidated refresh/access tokens. I will pass on this feedback to our engineers. Thank you for bringing this up

Thanks,

avatar image Chris Covney gnanasekaran ♦ · Apr 23, 2015 at 07:21 PM 0
Link

Hi Mukundha,

You're very welcome. I hope the details I've provided are enough for an investigation on the Apigee side. Thanks again for your help.

Best, Chris

avatar image Dino ♦♦   · May 28, 2015 at 08:59 PM 0
Link

The documentation at http://apigee.com/docs/api-services/content/validating-and-invalidating-access-tokens does state that passing an accesstoken, even if the type is "refreshtoken", causes revocation of the access token.

avatar image Chris Covney Dino ♦♦ · May 29, 2015 at 02:22 PM 1
Link

Hi Dino,

I had not noticed that, thanks for the tip. The bigger issue though is the fact that the policy does not throw an error if an invalid refresh token is passed. For example, passing a refresh token repeatedly will not cause any exceptions; however, you would expect to be able to only revoke a refresh token once, haha.

Just to beat a dead horse here, another example is that I'll pass a refresh token, it is successfully revoked. I go and try to refresh my access token / session with said refresh token, and of course it fails because it has been revoked. I go back to the revoke endpoint and pass it the invalidated refresh token, and it accepts the refresh token as still valid and will perform the invalidation operation again. This is definitely a bug, but definitely not a huge bug.

avatar image Dino ♦♦ Chris Covney   · May 29, 2015 at 11:18 PM 0
Link

Yes, I understand the situation and agree that it's a bug. I'd prefer that the Revoke should throw a fault if given a revoked token. I'll file a report on that.

avatar image
0

Answer by Jeff Nadeau · Jun 19, 2015 at 06:17 PM

Something to consider is that when responding to the client you should not return an error if an invalid token is provided: From https://tools.ietf.org/html/rfc7009:

Note: invalid tokens do not cause an error response since the client cannot handle such an error in a reasonable way. Moreover, the purpose of the revocation request, invalidating the particular token, is already achieved.

I know this post is asking for more information from an internal call, which is a different beast. But something to consider nevertheless.

Comment
Add comment · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Follow this Question

Answers Answers and Comments

21 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

In an OAuthV2 policy with InvalidateToken, can the cascade param reference a flow variable? 1 Answer

is there a verify refresh token policy? 5 Answers

OAuth validation policies without validating content-type against the body 1 Answer

Is the Error Reference of OAuth V2 policy incorrect? 1 Answer

Variable attribute name in Set OAuth V2 Info policy 1 Answer

  • Products
    • Edge - APIs
    • Insights - Big Data
    • Plans
  • Developers
    • Overview
    • Documentation
  • Resources
    • Overview
    • Blog
    • Apigee Institute
    • Academy
    • Documentation
  • Company
    • Overview
    • Press
    • Customers
    • Partners
    • Team
    • Events
    • Careers
    • Contact Us
  • Support
    • Support Overview
    • Documentation
    • Status
    • Edge Support Portal
    • Privacy Policy
    • Terms & Conditions
© 2021 Apigee Corp. All rights reserved. - Apigee Community Terms of Use - Powered by AnswerHub
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Post an idea
  • Spaces
  • Product Announcements
  • General
  • Edge/API Management
  • Developer Portal (Drupal-based)
  • Developer Portal (Integrated)
  • API Design
  • APIM on Istio
  • Extensions
  • Business of APIs
  • Academy/Certification
  • Adapter for Envoy
  • Analytics
  • Events
  • Hybrid
  • Integration (AWS, PCF, Etc.)
  • Microgateway
  • Monetization
  • Private Cloud Deployment
  • 日本語コミュニティ
  • Insights
  • IoT Apigee Link
  • BaaS/Usergrid
  • BaaS Transition/Migration
  • Apigee-127
  • New Customers
  • Explore
  • Topics
  • Questions
  • Articles
  • Ideas
  • Badges