When we try to delete all the tokens for a 'resource _owner' specific to a 'client_key' using the token store API,
API endpoint : /oauth/tokenstore/revoke
Parameters: resource_owner , client_key
In all scenarios, all the tokens (access token s and refresh tokens) belonging to the given resource_owner for the client_key should be deleted.
In case, any of the access_tokens for the same resource_owner and client_key have been expired and the corresponding refresh_tokens are still active, then this api is not deleting those active refresh_tokens.
These refresh_tokens can again be used to generate new access_tokens, which is not a desired behavior.
Is there any better way to delete all the tokens for a resource_owner and given client_key.
What version of the OTK are you using? Just to confirm I understand, are you saying that calling /revoke with the RO and client key only removes the access token and not the refresh token?
I am making the below call which does remove both tokens from OAuth manager as well as from the oauth_token table.
Thanks for the response.
We are using 'OTK Token Revocation' (OTK V 3.4 ) assertion.
The schema for the OTK does not define a table 'oauth_refresh_token', only the 'oauth_token' table which holds access_tokens and refresh_tokens. I have done some testing with an expired access token but valid refresh token and can see the OTK Token Revocation working when passing only the CK and RO.
Unfortunately I cannot reproduce the behavior you mentioned. Perhaps it would be best to open a support case so we can work through and see exactly what is going on in your environment.
I missed to mention, we are using No Sql Cassandra database schema, which has the following two tables.
Schema is as follows:
CREATE TABLE oauth_refresh_token ( otk_token text PRIMARY KEY, secret text, expiration bigint, scope text, resource_owner text, created bigint, otoken text, // other token = access token oexpiration bigint, status text, client_key text, client_name text, custom text);
CREATE TABLE oauth_access_token ( otk_token text PRIMARY KEY, secret text, expiration bigint, scope text, resource_owner text, created bigint, otoken text, // other token = refresh token oexpiration bigint, status text, client_key text, client_name text, custom text);
Did you have a chance to open a new case? If so, please can you mark Joe's answer as correct.