Apigee Management api to revoke access token by end user Id is not working consistently

anshul_
Participant IV

When I try to revoke all the access token issued to a user using the management API (https://docs.apigee.com/management/apis/post/organizations/%7Borg_name%7D/oauth2/revoke), I have found that its behaviour is pretty flaky.


I understand that we get 202 in response which means that the request to revoke access token has been accepted, and it takes some time to process. Many times all the access tokens are revoked within few seconds and sometimes none is revoked.

Thanks

0 5 420
5 REPLIES 5

akoo
Participant V

Hello @aagrawal, this looks to be a product functionality concern. Have you considered opening a Support ticket? We can get more details to understand the situations where access tokens are not getting revoked.

+1 on @Alex Koo' comments. Is this behavior consistent ? Did you make the GET call to see if the tokens exist ? We will need more info to investigate. I would also recommend you to open a support ticket

Thanks @Alex Koo and @Sai Saran Vaidyanathan for your quick response. The behaviour is pretty inconsistent. Sometimes it revokes immediately and sometimes it takes forever, sometimes it revokes the access token, but not the associated refresh token. That I have confirmed by making the GET calls on the access tokens.

I have already raised a support ticket, but thought that community will also be a great platform to address my issue.

@Alex Koo @Sai Saran Vaidyanathan




Along with inconsistent behaviour, we have realised one more security issue -


Assume the end user has lost his device, and he requests the App developer or our team to log him out from the application on his lost device. In order to revoke all the access tokens issued to him, we will make the management API call which will give us 202 in the result with the number of tokens it is going to revoke.

Now, by the time Apigee revokes all the tokens, a new access token can be issued using any active refresh token, which is supposed to be revoked anytime soon in future because of the Managment API call we had already made.
Ideally, that access token should never be issued as the request to revoke all the access tokens and refresh tokens had already been made. This behaviour may let the unauthorized person, who posses the missing device, to login/access the application.


Please let me now if my understanding is wrong. if it is an issue then it will be a major security concern for us.

@Abhishek Tiwari

@Alex Koo

We face some similar issue, we've two platforms:

1. On-premises(used for Dev & Testing ENVs):

a) It works fine here, consistently revokes the tokens are recooked within few seconds of an enduserId.

And

b) GET call works fine here.

2. Private cloud(used for higher ENVs):

a)It works fine inconsistently and revocation takes longer than On-premises case(much longer, >15mins)

b)Sometimes it doesn't work at all and we get below error:

{ "code": "datastore.ErrorWhileAccessingDataStore", "message": "Error while accessing datastore;Please retry later", "contexts": [] }

However GET call for the same userId works.

Note: One important difference is that the issue where we see(2nd platform) is used for performance tests where we've millions of access_tokens created for an userId(which have long expiry like 6months)- could this be reason for 2.b?