Hello, I’m developing a Flutter mobile application and I’d like to use Okta as Authentication server. I found a library (for flutter) which integrates the whole process of fetch a token, and I can fetch the token without any problem. Now my problem is for logout. The library I’m using calls the revoke endpoint for access token and refresh token and I can verify from introspect endpoit that it is revoked since before the revoke the call to instrospect give me a valid tokem, after the call I get active:false from introspect endpoint. But if I try to use the revoked token it still works, and fetch data from my WebApi!!! How does this happen? How can correctly remove the token so it does not works anymore?
Thanks
How long do you wait between revoke and trying your web api call?
No wait time, I check as soon I revoke the token
I have done some more tests and I have noticed something new.
What I did before was this:
- I generated an Access Token
- I created a local apache server using Xampp
- I wrote a local PHP Api using okta verification API for PHP
- I tried to get resource from the API with the generated token
- Token was validated and data was fetched
- I called revoke endpoint
- I tried to call again the same local Api
- Token was validated and data was fetched again
I tried to do the same thing but this time in a remote server, not a local xampp server.
With the remote server, after the revocation, token is no more valid and data is no more fetched. Why with local xampp server this process does not work and the token is validated also after revoke, and with the remote one the process is correct?
Let me ask you one thing. How do you perform token validation on your back end (web-api)? Maybe it’s the reason, as you said /introspect reports it’s being invalid. Not familiar with PHP library for validation, but if it does only local validation, instead of remote validation, then it makes sense
In order to do the validation from server side, I followed the example reported by PHP Okta’s guide (and it works properly since now are some months it is active). The code is the same in local xampp server and remote server, this is the weird thing.
I also tried to do another test (but this time just in local server since I don’t have a remote windows server) I created an asp.net web api and again I have the same behaiviour, local server validates the token even also after the call at the revoke endpoint.
I checked PHP library and it seems it does local validation only, so I’m little bit surprised that it works for you on a remote server.
I swear, I tried several times, and in my remote server after revoke call I get 401 Unauthorized! 
Anyway, it seems bit iffy to me as a long term solution. You may want to consult Okta support, but from what I discovered from the PHP library, as I said, it does local validation only, so it’s not supposed to be aware of the fact, that a token has been revoked. So, if you plan to make your authorization decisions based on the token, please make sure to call /introspect explicitly.
1 Like