This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

revoke access token in proxy

Posted on 11-18-2020 09:57 AM
Not applicable
Reply posted on --/--/---- --:-- AM

I have the requirement to revoke the access token. I did use the invalidate policy. I see one abnormal behavior. The token is getting revoked after almost 3-5mins. Till then the token is working successfully and showing status approved. I am using apigee onprem 4.19.05.

Can anyone help me resolve this? Thanks...

Solved Solved
0 3 622
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

I got one work around.

Maybe the management api call for token information is getting bad data. That's why it takes up to 35mins to reflect revoked in the token information.

I added one verify oauth policy. After the token revoked using invalidate policy if I hit the verify OAuth token policy it immediately fails. That means the policy behaves as expected. So, I customized the error.

I conclude here is if the policy invalidates a token, then the immediate token validation policy will fail. But if I will do a management api call of the token then I may get revoked status after a notable delay.

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

I got one work around.

Maybe the management api call for token information is getting bad data. That's why it takes up to 35mins to reflect revoked in the token information.

I added one verify oauth policy. After the token revoked using invalidate policy if I hit the verify OAuth token policy it immediately fails. That means the policy behaves as expected. So, I customized the error.

I conclude here is if the policy invalidates a token, then the immediate token validation policy will fail. But if I will do a management api call of the token then I may get revoked status after a notable delay.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

The token is getting revoked after almost 3-5mins.

If what you mean is, you revoke a token using the management API call, and then a subsequent VerifyAccessToken policy treats the token as still valid, then, this is expected behavior, If the token has been previously used.

There's a token cache maintained in the Message Processor.

the first time an MP executes OAuthV2/VerifyAccessToken on a token, it reads from the persistent token store (Cassandra), and then populates the local (in process) cache with the data that has been retrieved.

If you then use the Apigee management API to revoke the token, revoke the app, revoke the developer, remove the product from the app, or revoke the product in the app, .... all of those result in changes to the persistent store. But they do not result in cache invalidation in the MP. The cache lifetime is 180 seconds, fixed.

This leads the the unfortunate behavior in which you can revoke a token, and for up to 3 more minutes, a message processor may accept that token.

Other customers have observed this behavior and have asked Apigee to reduce that window or remove it, and ... that request remains in our engineering backlog.

On the other hand, If you are talking about using the InvalidateToken policy, and then querying the status of the token via the management API.... I am not sure of the behavior in that circumstance.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thank you for sharing more information in detail.

Jump to Solution
0 Likes