CAEP , revocation events

I was reading about Azure AD continuous access evaluation which is based in CAEP, when using CAE the Microsoft apps (teams, sharepoint, etc) subscribe to token revocation events from Azure AD (like if the user is deleted, or the user changes password)

Is it possible to receive (at the Resource Server side) an event for each token revoked in Okta ?

I mean, I guess the answer is no as there is no mention of it in Overview | Okta Developer

But there is some plan to have something like this ? I mean I know that I can use the remote token introspection endpoint to check if a token is revoked, but I would really like to avoid it. I much rather prefer using local validation and check for revoked tokens locally (from the state built from the revocatio events)

It is impossible to determine if a token has been revoked when locally validating it, you can only confirm that the token is valid and non-expired locally and you MUST make a network call to Okta (the introspect endpoint) to check with Okta to see if it has been revoked. Details about token validation here: Validating a Token Remotely With Okta

But is there any plan to support CAEP /RISC events?

If I understood right the idea with CAEP is that the Auth server will send events like session revoked/password change/etc to the resource server. So the resource server can use that information later when it receives the access token to reject tokens (that otherwise look like valid tokens) based on that it knows that the the session for the user was revoked at time x so any token issued before x should be rejected.

So I understand that okta does not support CAEP (which I don’t think it’s fully standardized yet) but my question is really if there is plans for supporting it or even if okta has a “position” about CAEP vs regular token introspection?

We do not have a formal roadmap for CAEP support, in part because its not yet ratified, but you may want to file a feature request in our Okta Ideas Portal to let our Product team know you’re interested in it and so we can continue to gauge interest.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.