Inactive token still works

After I revoke an OAuth access token using the /revoke endpoint, I check the token using the /introspect endpoint and it shows that the token is inactive. When I try to use that token to access a protected resource, the token still works.

Hi @moconnor! Making sure you are revoking the access token from the correct authorization server, please confirm your revoke endpoint and your introspect endpoint look like the following:

  • revoke - {{url}}/oauth2/v1/revoke
  • introspect - {{url}}/oauth2/v1/introspect

The revoke, introspect, and resource server are all using the same authorization server.

Is your resource server using the introspect endpoint to see if the token is still valid (remote token validation) or is it checking the signature and ‘exp’ value in the token (local token validation)? If you’re not sure and you are using one of our JWT verifier libraries, these are designed to do local token validation (as it does not require a network call).

Only the introspect endpoint can tell you if a token has been revoked, while local validation will continue to consider the token valid based on the token lifetime instead. See our guide about token validation for more details.

@moconnor Did you test this in postman? Is your end goal to remove all users token/sessions?

I’m using Okta Spring Boot 2.0 (com.okta.spring) library. How are you guys doing it in the library?

Yes I tested this in postman. I just want to invalidate the access token. When a user logs out from our app, the app hits the revoke endpoint so that the access token to our API is no longer valid.

@moconnor I see. You can refer the doc here for how we doing this in Spring Boot library.
For more details, you can check this article
For postman test I believe you have done that correctly. Here is the reference for the steps.

If you’re using our Spring Boot Starter, it defaults to JWT Validation (local validation), but I would recommend that you change this to use Opaque Token Validation instead, based on your needs/expectations. More details about how to set this found in the README.

You may also want to check out this article by one of our Java SDK developers that explains the difference between the two and why you might want to use both.

Thanks andreaskouras.