Invalidate access token if new scopes are requested.

openapidev
Participant I

Hello,

What is the best way to invalidate an existing access token without knowing its value?

We want to implement incremental authorization flow. If the client requests new scopes we want to invalidate an existing access token using app id and user id and then generate new access token including old and new scopes.

Is it possible without using Management API which provides operation for fetching access token using app id and user id? Can we achieve the same inside proxy itself?

thanks

0 1 238
1 REPLY 1

To invalidate a specific token at runtime you need to know the token.

If the _client requests new scopes_ we want to invalidate an existing access token using app id and user id and then generate new access token including old and new scopes.

Somehow your proxy "knows" the old and new scopes. How? If it has the old token then the proxy can invalidate (revoke) that token. If your proxy doesn't know the "old" and "new" scopes, then.... how does it know there are new scopes at all?

If the proxy does not "know" the old token, then it is not possible at runtime. Maybe what you can do is... introduce a non-standard "upgrade" flow for the client, through which it can ask for an "upgraded" token, a token with additional scopes. To get the upgraded token, you can configure an /authorize_upgrade endpoint which accepts the old token, and the set of new scopes desired. Apigee can then redirect to the IdP for the authz code flow, as it would for a normal 3-legged /authorize flow. Upon exchange of the new code for the new token, Apigee can invalidate the old token.

But make sure you need to invalidate the old token. If you are following good practice, with reasonably short token lifetimes, then it shouldn't matter. It should be ok to have 2 outstanding tokens for the same user. I suggest that you double-check your assumption about requirements regarding the old token.

What problem are we solving for?