We are using revoke api as we want to invalidate access token, on revoke api call, we are getting status code with 200 status, but still that token on verify, shows its valid.
Are you using the /introspect endpoint to validate the token, or are you locally validating it? Local token validation will never take into consideration the state of the token on the server itself. You can only check if a token has been revoked (using the revocation endpoint) by sending it back to the introspection endpoint.
This is also mentioned in our guide about how to Validate Access Tokens.
I have tried using introspect endpoint. but its always giving status code 200 with active state false
So after revoking, the introspect endpoint reports that the token is
"active": false? This is expected/the desired behavior. The introspect endpoint will reflect the status of the token on the authorization server side, so when you make your
/v1/revoke request, you toggled the status of the token from
No, Even before i make call to revoke API, its giving status “active”:false
What’s the value of the
iss claim in your token and does it match the /revoke URL you are using? You want to make sure you make the revocation call to the same authorization server, aka
scp: [ ‘openid’, ‘profile’, ‘email’ ],
This is claim, and url above, which i am using, and really i am getting false status for active token, before and after revoke
Based on the
iss in the token payload you’ve shared, you should be using the following endpoints instead:
Thank you so much @andrea , Its working as expected. Great thanks
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.