I am trying to logoff or end a Token session with a valid (not expired) token. I tried calling /oauth/Tokenstore/revoke with "Delete" method.
It deleted the token with the specified "resource_owner" & "cliend_key" from the Database. But still able to call an existing policy API with the Token and Get a successful OAuth Token validation.
Do I have to delete the Token session also? Am I missing any step here?
Access Tokens are stored in the gateway cache. Depending on the version of the OTK you are using it may or may not have been removed from the cache when making /revoke API call. You need to update Revoke API to remove token from the cache. Also try using /auth/oauth/v2/token/revoke API call properly remove Access or Refresh tokens. I have updated this service to remove from cache in OTK 3.0 in SSG v8.3 and working as expected.
If the token is deleted from the DB, it should no longer be valid, perhaps you can check if it is still appearing in the oauth/manager? also, did you test the API within the period of the Cache Validation result of the "OTK Require OAuth 2.0 Token" assertion?
Testing within the period after a successful validation would still allow the token to pass as it has been cached.