Hi,
We are using OAUTH2 policy to invalidate tokens.
However, by design it seems that Apigee does not protects this policy with any client_id \ client_secret of the client that generated this token and wants to invalidate it.
On the RFC page https://tools.ietf.org/html/rfc7009 we can see that
For example, a client may request the revocation of a refresh token with the following request: POST /revoke HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW token=45ghiukldjahdnhzdauz&token_type_hint=refresh_token The authorization server first validates the client credentials (in case of a confidential client) and then verifies whether the token was issued to the client making the revocation request. If this validation fails, the request is refused and the client is informed of the error by the authorization server as described below.
Our question - is this by design that invalidation of the token can be done absolutely anonymous? (of course we can create logic that with get OAUTH info \ verify API key we can get both id+secret and see if this token belongs to this client and his secret - but still... I always knew that Apigee RFC ready).
Any comments on that team?
Thanks,
Denis
By default the policy doesn't need any security. You can add a security policy like api key verification or oauth.
In my case I have added access control policy as the security, which will allow the request from our Jenkins server only.
User | Count |
---|---|
5 | |
2 | |
2 | |
1 | |
1 |