Solved: Revoke Access Token

gopaldurgoji · 01-18-2018 05:31 AM

Im trying to revoke the access token, but while revoking the access token its hitting the target and Im getting the error - { "Message": "An error has occurred." }, need help?

kirankoona

@gopal

You can revoke the access token using OAuthV2 policy with InvalidateToken operation. Try the below code it worked for me.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="RevokeAccessToken">
    <DisplayName>RevokeAccessToken</DisplayName>
    <Operation>InvalidateToken</Operation>
    <Tokens>
        <Token type="accesstoken" cascade="true">request.header.access_token</Token>
    </Tokens>
    <GenerateResponse enabled="true"/>
</OAuthV2>

For more info, you can refer to the below Apigee doc :

https://docs.apigee.com/api-services/content/validating-and-invalidating-access-tokens

Hope this helps.

View solution in original post

kirankoona

@gopal

You can revoke the access token using OAuthV2 policy with InvalidateToken operation. Try the below code it worked for me.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="RevokeAccessToken">
    <DisplayName>RevokeAccessToken</DisplayName>
    <Operation>InvalidateToken</Operation>
    <Tokens>
        <Token type="accesstoken" cascade="true">request.header.access_token</Token>
    </Tokens>
    <GenerateResponse enabled="true"/>
</OAuthV2>

For more info, you can refer to the below Apigee doc :

https://docs.apigee.com/api-services/content/validating-and-invalidating-access-tokens

Hope this helps.

Report Inappropriate Content

Hi Kiran

We are using the OAuthv2 policy as you have mentioned, but still it is hitting the target end point.

We have created the Revoke access token as a Shared flow and then using the same in the Proxy.

Kindly provide any other pointers to check

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OA-RevokingTokens">
    <DisplayName>OA-RevokingTokens</DisplayName>
    <Operation>InvalidateToken</Operation>
    <Tokens>
        <Token type="accesstoken" cascade="true">request.header.access_token</Token>
        <Token type="refreshtoken" cascade="true">request.header.refresh_token</Token>
    </Tokens>
     <GenerateResponse enabled="true"/>
</OAuthV2>

kirankoona

@chandana r

I have couple of questions

Is it mandatory to hit targetEndpoint to revoke the accesstoken?

Do you have separate API to revoke accesstoken? If yes, use route rule with noroute, so that it will not hit targetEndpoint

For example: If your revoke API have pathsuffix as /revoke, your route rule will be

<RouteRulename="NoRoute"><Condition>proxy.pathsuffix MatchesPath "/revoke"</Condition></RouteRule>

Hope this helps.

gopaldurgoji

@kirankoona

Actually Im making another proxy call (Get)-

http://osa-staging.osapi.com/Revoke?access_token=b9hPw3dXAKBr2OC0BEHhS1lDl7Y8&refresh_token=KTDOabkv...

So when I make the above call its hitting the server and expecting a controller, hence Im getting a error.

My question is when I make the revoke call will it hit the server directly or will it hit the Apigee and get the access token from the apigee and revokes it even without calling the server?