How to revoke Access Tokens except a Access Token sent by request
I referred to this page. Then I want to realize the following functions.
It obtains End User ID from a access token sent by the request, Revoke access tokens on condition that End User ID. However, only the access token sent by the request is kept valid without being revoked.
How should it be implemented?
Answer by Madhan+Sadasivam
·
Sep 02, 2017 at 09:21 PM
The operation would invalidate all the tokens, you can follow it up with a validatetoken operation to bring it back in the same request.
<OAuthV2name="ValidateToken">
<Operation>ValidateToken</Operation>
<Tokens>
<Tokentype="accesstoken"cascade="true">flow.variable</Token>
</Tokens>
</OAuthV2>
Thanks, @Madhan Sadasivam
I tried a method to activate only a specific token with a policy after revoking all tokens with the Management API.
However, the response of the Management API is Status Code 202 (Accepted), which doesn't assure that all token invalidation processing has ended. As a result, the activation process was executed before the invalidation process was finished, and eventually all the tokens became invalidated in the end.
I considered putting sleep processing before activation process. But I gave it up, because the time to eliminate the above possibility was unclear.
