Layer7 API Management

  • 1.  Not all refresh tokens are getting deleted using /oauth/tokenstore/revoke api

    Posted 03-10-2017 10:43 AM

    When we try to delete all the tokens for a 'resource _owner' specific to a 'client_key' using the token store API,

     

    API endpoint : /oauth/tokenstore/revoke  

    Method: DELETE 

    Parameters: resource_owner , client_key

     

    Expected Behavior:

    In all scenarios, all the tokens (access token s and refresh tokens) belonging to the given resource_owner for the client_key should be deleted.

     

    Observed Behavior:

    In case, any of the access_tokens for the same resource_owner and client_key have been expired and the corresponding refresh_tokens are still active, then this api is not deleting those active refresh_tokens.

    These refresh_tokens can again be used to generate new access_tokens, which is not a desired behavior.

     

    Is there any better way to delete all the tokens for a resource_owner and given client_key.

     

    Thanks,

     Sunita 



  • 2.  Re: Not all refresh tokens are getting deleted using /oauth/tokenstore/revoke api

    Broadcom Employee
    Posted 03-13-2017 03:40 PM

    Hi sdora,

     

    What version of the OTK are you using? Just to confirm I understand, are you saying that calling /revoke with the RO and client key only removes the access token and not the refresh token? 

     

    I am making the below call which does remove both tokens from OAuth manager as well as from the oauth_token table.

     

     

    Regards,

    Joe



  • 3.  Re: Not all refresh tokens are getting deleted using /oauth/tokenstore/revoke api

    Posted 03-14-2017 04:48 PM

    Hi Joe,

     

    Thanks for the response.

     

    We are using 'OTK Token Revocation' (OTK V 3.4 ) assertion.

     

    • Consider the case, when there is no active access_token for the RO and CK, but the refresh_token is still active as access_token and refresh_token may have different expiration.
    • That means there is no entry in oauth_access_token table for the same RO and CK, but there is an entry in oauth_refresh_token table.
    • In this scenario, when we try to call OTK Token Revocation with parameters CK and RO, its not able to remove the existing refresh_token. 


  • 4.  Re: Not all refresh tokens are getting deleted using /oauth/tokenstore/revoke api

    Broadcom Employee
    Posted 03-15-2017 09:43 AM

    Hi sdora,

     

    The schema for the OTK does not define a table 'oauth_refresh_token', only the 'oauth_token' table which holds access_tokens and refresh_tokens. I have done some testing with an expired access token but valid refresh token and can see the OTK Token Revocation working when passing only the CK and RO.

     

    Unfortunately I cannot reproduce the behavior you mentioned. Perhaps it would be best to open a support case so we can work through and see exactly what is going on in your environment.

     

    Regards,

    Joe

     



  • 5.  Re: Not all refresh tokens are getting deleted using /oauth/tokenstore/revoke api

    Posted 03-15-2017 11:16 AM

    Hi Joe,

     

    I missed to mention, we are using No Sql Cassandra database schema, which has the following two tables.

     

    Schema is as follows:

    CREATE TABLE oauth_refresh_token (
        otk_token text PRIMARY KEY,
        secret text,
        expiration bigint,
        scope text,
        resource_owner text,
        created bigint,
        otoken text, // other token = access token
        oexpiration bigint,
        status text,
        client_key text,
        client_name text,
        custom text
    );

    CREATE TABLE oauth_access_token (
        otk_token text PRIMARY KEY,
        secret text,
        expiration bigint,
        scope text,
        resource_owner text,
        created bigint,
        otoken text, // other token = refresh token
        oexpiration bigint,
        status text,
        client_key text,
        client_name text,
        custom text
    );

     



  • 6.  Re: Not all refresh tokens are getting deleted using /oauth/tokenstore/revoke api

    Posted 03-23-2017 06:47 AM

    Hi sdora,

    Did you have a chance to open a new case? If so, please can you mark Joe's answer as correct.

    Regards

    Seenu mathew