Questions about the conditions for the APIs of OAuth2 Access Token Get/Revoke to succeed

Not applicable

Hi Team,

A customer asked me about the design specification of OAuth2 Access Token APIs.

1. Get OAuth2 Access Token by End User or App ID

Is it designed as getting Access Token whose status is not 'approved', meaning either 'revoked, or 'expired' is not possible?
The API spec doesn't mention about it.

2. Revoke OAuth2 Access Token by End User or App ID

Is it designed as revoking Access Token whose status is 'expired' is not possible?
The API spec doesn't mention about it.

Thank you for your help in advance.

Regards,
Toshi

Solved Solved
0 4 288
1 ACCEPTED SOLUTION

Not applicable

1. Revoked or expired Apps cannot get an access token. Ideally generating an access token should be implemented as a POST call in oauth proxy. You can implement it as a GET call as well.

2. Revoking an Access token is to disable the access for the token to invoke APIs. App can obtain a new access token by calling the auth endpoint and access APIs. If you want to disable access for an App then you need to revoke the App itself.

View solution in original post

4 REPLIES 4

Not applicable

1. Revoked or expired Apps cannot get an access token. Ideally generating an access token should be implemented as a POST call in oauth proxy. You can implement it as a GET call as well.

2. Revoking an Access token is to disable the access for the token to invoke APIs. App can obtain a new access token by calling the auth endpoint and access APIs. If you want to disable access for an App then you need to revoke the App itself.

Also, when tokens expire, they don't need to be revoked.

Typically, you would configure Apigee Edge to issue a token, and to set a lifetime of 30 minutes or 60 minutes when doing so. After that lifetime expires, the token is no longer valid for use, and will be rejected if presented in a request. There is no need to "revoke" that token.

Revoking a token is an explicit step - "please mark this valid token as revoked" .

Token expiration happens implicitly.

Thank you very much Akinadiyil and Dino for the answers.

Not applicable

Hello,

I have one follow-up question.

Regarding 'Revoke OAuth2 Access Token by End User or App ID' the customer wants to know:

Is there a feature on Edge to disable the users who have been revoked with access token meaning that they cannot succeed in refreshing the access token any more?

Is this supported by Edge with some Management API or whatever?
Or, if not, do they have to manage it with 'request.header.appuserID' received as to disable those users on API proxy side with some scripts, etc.?

Regards,
Toshi