Am I revoking my access tokens correctly?

spaghettiboi22 · August 23, 2023, 6:49pm

im testing api endpoints with postman using the bearer token found in the request headers. i’ll hit my org authorization server with the /revoke endpoint and then confirm that the access token is indeed false by requesting /introspect endpoint (active: false), but that same bearer token is still working for subsequent requests to my api.

should that same bearer token be able to access my authorization-protected endpoints, am i misunderstanding the flow, or are the tokens cached somehow?

for context, my API is .net framework and the endpoints have the [Authorize] attribute tags.

any insight is greatly appreciated.

erik · August 24, 2023, 7:15am

Hello,

If the resource that accepts the Bear Token is doing local token validation (verifying the signature, expiry time, audience, and scopes locally) then there is no way the resource would know that the token has been revoked.

The resource would need to do remote validation by calling the /introspect endpoint to know.

For highly sensitive applications this might be the best approach.
Another approach is to use short access_token lifetimes (5 minutes), so token revocation may not be needed.

This all depends on the applications specific security needs.

Thank You,

Post		Replies	Views
Inactive token still works OAuth/OIDC	9	4924	March 24, 2021
Getting 200 OK while calling /v1/revoke/ API but my access token is still working OAuth/OIDC	4	184	October 8, 2024
Revoke API not working OAuth/OIDC	8	3169	August 5, 2022
Alternatives to remote validation of tokens Questions	1	2633	March 24, 2022
OAuth 2.0 Token Revocation Questions	0	3608	March 20, 2020

Am I revoking my access tokens correctly?

Related topics