Am I revoking my access tokens correctly?

im testing api endpoints with postman using the bearer token found in the request headers. i’ll hit my org authorization server with the /revoke endpoint and then confirm that the access token is indeed false by requesting /introspect endpoint (active: false), but that same bearer token is still working for subsequent requests to my api.

should that same bearer token be able to access my authorization-protected endpoints, am i misunderstanding the flow, or are the tokens cached somehow?

for context, my API is .net framework and the endpoints have the [Authorize] attribute tags.

any insight is greatly appreciated.


If the resource that accepts the Bear Token is doing local token validation (verifying the signature, expiry time, audience, and scopes locally) then there is no way the resource would know that the token has been revoked.

The resource would need to do remote validation by calling the /introspect endpoint to know.

For highly sensitive applications this might be the best approach.
Another approach is to use short access_token lifetimes (5 minutes), so token revocation may not be needed.

This all depends on the applications specific security needs.

Thank You,

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.