This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

revoke oauth2.0 policy

Posted on 01-10-2021 10:14 AM
deniska
New Member
Reply posted on --/--/---- --:-- AM

Hi,

We are using OAUTH2 policy to invalidate tokens.

However, by design it seems that Apigee does not protects this policy with any client_id \ client_secret of the client that generated this token and wants to invalidate it.

On the RFC page https://tools.ietf.org/html/rfc7009 we can see that

For example, a client may request the revocation of a refresh token
   with the following request:

     POST /revoke HTTP/1.1
     Host: server.example.com
     Content-Type: application/x-www-form-urlencoded
     Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

     token=45ghiukldjahdnhzdauz&token_type_hint=refresh_token

   The authorization server first validates the client credentials (in
   case of a confidential client) and then verifies whether the token
   was issued to the client making the revocation request.  If this
   validation fails, the request is refused and the client is informed
   of the error by the authorization server as described below.

Our question - is this by design that invalidation of the token can be done absolutely anonymous? (of course we can create logic that with get OAUTH info \ verify API key we can get both id+secret and see if this token belongs to this client and his secret - but still... I always knew that Apigee RFC ready).

Any comments on that team?

Thanks,

Denis

0 1 116
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

By default the policy doesn't need any security. You can add a security policy like api key verification or oauth.

In my case I have added access control policy as the security, which will allow the request from our Jenkins server only.

0 Likes