This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Invalidate access token issued on behalf of an authorization code

Posted on 09-04-2016 04:42 PM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi,

As per section 4.1.2 of OAuth rfc spec - 

If an authorization code is used more than
         once, (1) the authorization server MUST deny the request and (2) SHOULD
         revoke (when possible) all tokens previously issued based on
         that authorization code.  The authorization code is bound to
         the client identifier and redirection URI.

OAuthV2 policy does return invalid request when the code is retried, so that meets first requirement.

However the access token issued on behalf of the code is unaffected. Is there a way to achieve this?

Thanks,

Jaskaran

0 4 378
Topic Labels
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hello @jaskarangump,

Apigee OAuthV2 policy supports invalidating an access token with "InvalidateToken" operation. Moreover, if you select the cascade = "true", option, then the associated Refresh Token would also get invalidated.

More information can be found here.

Moreover, the access tokens associated with a end user or app or both can be revoked. Information can be found here. So, if we associate the End User or App or both while generating the autherzation code, then using this mechanism, the associated access token (optionally and refresh token) can also be revoked.

Hope this helps.

0 Likes

Posted on --/--/---- --:-- AM
anilsr
Staff
In response to
Reply posted on --/--/---- --:-- AM

@Meghdeep Basu , I don't think cascade true option solves @jaskarangump issue. He is not talking about invalidating refresh token.

0 Likes

Posted on --/--/---- --:-- AM
anilsr
Staff
Reply posted on --/--/---- --:-- AM

@jaskarangump , Great Question,

You can implement same with little bit of hacking around Policies & Management APIs. You need to store app_enduser id along with authcode as an attribute with access token. Same is explained here how to store app_enduser id while generating access token.

If you see Reuse of AuthCode for a particular app_enduser id then retrieve all the tokens using Management API explained here, and then filter results by authcode, extract access token, invalidate same by calling revoke access token policy.

Above approach involves usage of service callout for Management API & some js / java code for results filtering. Ideally, Above logic should be part of Verify Auth Code.

Hope it helps.

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to anilsr
Reply posted on --/--/---- --:-- AM

Thanks Anil. But there are a couple of issues.

1. How to check auth code reused. I think it is removed when it is first traded for token. I checked using management api and the auth code disappears after first use.

2. I think usage of management api is discouraged in proxy as management Apis have different SLAs.

I think this should be default behaviour of the access token policy with code grantl.

Thanks

Jaskaran

0 Likes