Revoke token sometimes takes >2mins. Any way to improve?

Not applicable

We have /revoke endpoint so that users can invalidate an accesstoken and an associated refreshtoken.

The problem is that sometimes (about 1 in 10) it takes more than 120 seconds for a token to become invalid. About 3 out of 10 cases it takes at least 30 seconds to invalidate the token. In all cases we've seen so far EVENTUALLY the tokens get invalidated.

This is the policy that is doing the work:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="Invalidate-Token">
    <Operation>InvalidateToken</Operation>
    <Tokens>
        <Token type="accesstoken" cascade="true">request.formparam.access_token</Token>
    </Tokens>
</OAuthV2>

Probably this is due to some syncing between message processors.

Is there a way to speed this up or is there a better way to handle the use case of revoking access tokens?

Thanks for reading.

Regards,

Niels

0 7 719
7 REPLIES 7

Former Community Member
Not applicable

Revocation of a token in a distributed architecture will never be instantaneous (we use eventual consistency). The times you have indicated are within what I think as reasonable SLA.

We're experiencing the same ploblem.

We're using two cases.

CASE1) Using Policy "OAuthV2" for Operation "InvalidateToken"

*Purpose of canceling only the specified accesstoken

==> The accesstoken has been changed to revoked about seconds.

CASE2) Using Management API "Revoke OAuth2 Access Token by End User"

* Purpose of canceling all accesstokens related to the user

==> The accesstoken has been changed to revoked about 1-3 seconds.

In both cases, we expect that the accesstoken changed to revoked within a few seconds.

Could you tell us why it takes a lot of time using Policy "OAuthV2" ?

Regards,

Kaz

Former Community Member
Not applicable

Takahashi-san, can you please provide details on "why it takes a lot of time using Policy"? How much time are you seeing? Is it always the same?

Not applicable

We tested a scenario like this.

1) Firstly we post the logout url using Policy "OAuthV2" for operation "InvalidateToken", and soon returned 200.

2) Secondly we post the search-resources url using Policy "OAuthV2" for operation "VerifyAccessToken" with the same accesstoken http header.

We were expecting an "Access Token not approval" error, but also returned 200.

3) To check the situation, we login the manegement server and hit curl command

"http://localhost/v1/o/{org_name}/oauth2/accesstokens/{access_token}"

so, it displayed "status : approved"

4) We continued hitting same command every five seconds. After 150 seconds, we finally saw "status : revoked"

5) At last we post the search-resources url again, and returns 401 with an "Access Token not approval" error.

Not applicable

It was between 140 and 160 seconds.

we tryed only sevral times.

If it's important, we'll test and measure time again.

Former Community Member
Not applicable

No, I think that is a reasonable time for the revocation.

Revocation of an OAuth token is not instantaneous. Apigee Edge is a highly available and distributed software that is deployed across multiple regions and zones within a region. It takes time for the revocation to propagate changes across the zones.

Not applicable

We Know apigee has two ways to revoke Accesstoken.
One way is to use the Policy. Another way is to use the Management API.

Today we tested again both ways on the our AWS development environment.
For the Policy, it takes about between 90 to 160 seconds to change to "revoked". But in the case of the Management API, it was less than one second.

If the Management API is guaranteed to be consistent, we want to use the Management API to shorten the time that is changed to "revoked".
Is there any problem?