I have a Okta SPA with open id connect and I am using angular to do okta login using redirect form. and in .net core API, I am validating access token on server side on every API call.
Now I want to invalidate my access token so I tried /v1/revoke/ API call by passing auth server id, client id and other required detail and it is returning 200 OK but my access token is still working.
Please guide me.
Thanks
Nishit
Hello @nbisaria3,
Thank you for reaching out here on the Okta Developer Forum. Before using the /revoke endpoint, could you please try the /introspect endpoint first for that access token ?
This will validate the issuer (“iss” claim from the token) and other useful details.
After validating the access token, please use the /revoke endpoint.
After the /revoke request, you can double check the token by using the /introspect call one more time. (In this case, the token should already be invalidated and the response from /introspect will be the confirmation)
Regarding the SPA, please check if the refresh token functionality is enabled. (in this case, the access token might be refreshed, this is why the access_token might still be working)
The only way to confirm if an access token is invalided, is by using the /introspect request (or local token validation).
Hello,
Thank you for providing attention to my post. I have tried /introspect endpoint before and after /revoke and it is working as expected. before /revoke, it is true and after /revoke false.
But I am using below piece of code to validate the token at C# .NET level. It is saying token is valid. Please let me know if I am missing anything or I have to do something else.
_configurationManager = new ConfigurationManager(
_config.GetSection(“Okta”)[“Domain”] + Constants.WELL_KNOWN_END_POINT,
new OpenIdConnectConfigurationRetriever(),new HttpDocumentRetriever());
var openIdConnectConfiguration = _configurationManager.GetConfigurationAsync().Result;
var signingKeys = openIdConnectConfiguration.SigningKeys;
var validationParameters = new TokenValidationParameters
{
RequireExpirationTime = true,
RequireSignedTokens = true,
ValidateIssuer = true,
ValidIssuer = _config.GetSection(Constants.OKTA)[Constants.DOMAIN],
ValidateIssuerSigningKey = true,
IssuerSigningKeys = signingKeys,
ValidateLifetime = true,
ClockSkew = TimeSpan.FromMinutes(2)
};
TokenValidationResult tokenValidationResult = await new JwtSecurityTokenHandler().ValidateTokenAsync(token, validationParameters);
Thanks
Nishit
Hi @nbisaria3 calling revoke api will not invalidate token .Tokens will only be invalidate when the expire . So I can give you two solutions
-
Set a short expire time for your token and keep refreshing them.
-
If you are willing to protect you enpoints add a filter that will calling introspect api to see if token is active or not and then do the further action.