Revoke access token based on custom attribute

kramasubramania · 11-06-2017 02:22 PM

Hi

We are creating access token with custom attribute Intent id. Next we need to revoke that particular access token based on that custom attribute. Please can you let know the way for that

ssvaidyanathan

HI @Krishnaswami Ramasubramanian - not sure what value Intent id would hold in your case (hope its OpenId Connect related). But in general you could invalidate access token using the OAuth policy - InvalidateToken operation

<OAuthV2 name="InvalidateToken">
  <Operation>InvalidateToken</Operation>
  <Tokens>
    <Token type="accesstoken" cascade="true">request.header.Authorization</Token>
  </Tokens>
</OAuthV2>

More info on revoking access token can be found here

For your scenario - you can have a condition in your flow that first validates the Intent Id for a condition and if its true execute the above policy

Hope this helps

kramasubramania

Thanks for you response. Can you please clarify more

Problem Statement: We need to expose API which should Invalidate a Token based on its Custom Attribute. Input is not token and only Intent id

Step 1 : API with Client-Credentials authentication to be exposed, which will get Input as a Intent id(which is custom attribute of a Access Token).

Step 2 : Identify the exact access token for that Intent Id(custom attribute)

Step 3: Revoke the respective access token which is easy step using the oAuthV2 policy.

My main query what is the exact way to idnetify the acess token based on its custom attribute.

ssvaidyanathan

Not sure that is possible. And don't think its the right use of custom attribute. Will the client use unique Intent Id for every call /token call ? What if the same Intent Id is used for more than one token ? Can you also provide some info on what this Intent Id is ??

kramasubramania

Thanks for your quick response.

This is for PSD2 and OBIE specifies that Intent id the Identification that a Bank provides to Third party provider(AISP/PISP) for every access request , It specified to expose API to delete access provided for resource. Every request will have unique id called Intent Id.

Below are answer for your queries

Will the client use unique Intent Id for every call /token call ? Answer : Client will pass unique intent Id for only this Delete Resource call.

What if the same Intent Id is used for more than one token? One token will have always have one intent Id. Intent Id is UUID which we create and added as custom attribute to the token for validation.

Since that Intent id is added as custom attribute we want to invalidate the token associated with it. But the request for this operation will have input of Intent Id only.

ssvaidyanathan

Thanks for the clarification.

Including @Sean Davis to provide his input as its PSD2 related.

navjot_k

What @Krishnaswami Ramasubramanian meant is, a custom attribute is attached to access token and it is unique to that access token. Can we use that custom attribute to

1. fetch access token

2. Revoke Access token

navjot_k

@Anil Sagar

venkatvenkatsiv

Hi @Krishnaswami Ramasubramanian, did you get an answer for this. I have a similar requirement.