Layer7 API Management

When we try to delete all the tokens for a 'resource _owner' specific to a 'client_key' using the token store API,

API endpoint : /oauth/tokenstore/revoke  

Method: DELETE 

Parameters: resource_owner , client_key

Expected Behavior:

In all scenarios, all the tokens (access token s and refresh tokens) belonging to the given resource_owner for the client_key should be deleted.

Observed Behavior:

In case, any of the access_tokens for the same resource_owner and client_key have been expired and the corresponding refresh_tokens are still active, then this api is not deleting those active refresh_tokens.

These refresh_tokens can again be used to generate new access_tokens, which is not a desired behavior.

Is there any better way to delete all the tokens for a resource_owner and given client_key.

Thanks,

 Sunita 

Hi sdora,

What version of the OTK are you using? Just to confirm I understand, are you saying that calling /revoke with the RO and client key only removes the access token and not the refresh token? 

I am making the below call which does remove both tokens from OAuth manager as well as from the oauth_token table.

Regards,

Joe

Hi Joe,

Thanks for the response.

We are using 'OTK Token Revocation' (OTK V 3.4 ) assertion.

• Consider the case, when there is no active access_token for the RO and CK, but the refresh_token is still active as access_token and refresh_token may have different expiration.
• That means there is no entry in oauth_access_token table for the same RO and CK, but there is an entry in oauth_refresh_token table.
• In this scenario, when we try to call OTK Token Revocation with parameters CK and RO, its not able to remove the existing refresh_token. 

Hi sdora,

The schema for the OTK does not define a table 'oauth_refresh_token', only the 'oauth_token' table which holds access_tokens and refresh_tokens. I have done some testing with an expired access token but valid refresh token and can see the OTK Token Revocation working when passing only the CK and RO.

Unfortunately I cannot reproduce the behavior you mentioned. Perhaps it would be best to open a support case so we can work through and see exactly what is going on in your environment.

Regards,

Joe

Hi Joe,

I missed to mention, we are using No Sql Cassandra database schema, which has the following two tables.

Schema is as follows:

CREATE TABLE oauth_refresh_token (
    otk_token text PRIMARY KEY,
    secret text,
    expiration bigint,
    scope text,
    resource_owner text,
    created bigint,
    otoken text, // other token = access token
    oexpiration bigint,
    status text,
    client_key text,
    client_name text,
    custom text
);

CREATE TABLE oauth_access_token (
    otk_token text PRIMARY KEY,
    secret text,
    expiration bigint,
    scope text,
    resource_owner text,
    created bigint,
    otoken text, // other token = refresh token
    oexpiration bigint,
    status text,
    client_key text,
    client_name text,
    custom text
);

Hi sdora,

Did you have a chance to open a new case? If so, please can you mark Joe's answer as correct.

Regards

Seenu mathew