Layer7 API Management

 View Only
  • 1.  Howto Revoke a Jwt access_token

    Posted Sep 09, 2019 03:20 AM
      |   view attached

    token/revoke only works with uuid access_tokens, not with jwt access_tokens. 

    It's not considered a bug, but is a feature request - there is an idea raised for it: 

    Idea;   OTK: Allow JWT access token to be revoked (Idea Details
    (I originally added this as comment on  the  Idea, but that does not support attachments - so adding this post and linking it)

    However to pass testing we needed revoke to work with jwt access token.

    To do that,  I've adjusted the /token/revoke service and added the entries from 2-10 in the screenshot. 

    The code checks for jwt access token and if so decodes it extracts the "jti" (which is the uuid value) updates the token with the jti value.   

    The code was derived from the /userinfo service which effectively has to do the  same process to allow use of the uuid and jwt access_token.

    it does :"check_access_token"
    1. Check token_type_hint is "access_token"
    2. Checks if token contains a "." (assumption then it is a jwt)
    3. Decode the token
    4. parse out the jti 
    5. Set the token = jti value
    And if any step fails it leaves it as it is.   Most of those steps were got from the /userinfo call.

    Note: Upgrade of OTK kit will overwrite this version, and you'll have to re implement it (ie look at the revision history).
    Note2: It won't be supported as the standard revoke function. 
    Note3: you could do this on the client side and extrat the jti value and send that. 
    Note4: I'd expect sometime the OTK will support revoke of jwt access_token.
     
    Cheers - Mark

     

    Attachment(s)

    xml
    check_access_token.xml   5 KB 1 version


  • 2.  RE: Howto Revoke a Jwt access_token
    Best Answer

     
    Posted Sep 09, 2019 07:18 PM
    Thank you for sharing this with the community Mark!

    ------------------------------
    Chris Hackett
    Community Manager, Broadcom Enterprise Software Division
    Broadcom Inc.
    ------------------------------