Revoke API not working

manoj-matellio · August 1, 2022, 5:32am

We are using revoke api as we want to invalidate access token, on revoke api call, we are getting status code with 200 status, but still that token on verify, shows its valid.

andrea · August 1, 2022, 8:44pm

Are you using the /introspect endpoint to validate the token, or are you locally validating it? Local token validation will never take into consideration the state of the token on the server itself. You can only check if a token has been revoked (using the revocation endpoint) by sending it back to the introspection endpoint.

This is also mentioned in our guide about how to Validate Access Tokens.

manoj-matellio · August 2, 2022, 9:22am

I have tried using introspect endpoint. but its always giving status code 200 with active state false

…com/oauth2/v1/introspect

andrea · August 2, 2022, 3:29pm

So after revoking, the introspect endpoint reports that the token is "active": false? This is expected/the desired behavior. The introspect endpoint will reflect the status of the token on the authorization server side, so when you make your /v1/revoke request, you toggled the status of the token from "active":true to "active":false

manoj-matellio · August 3, 2022, 4:46am

No, Even before i make call to revoke API, its giving status “active”:false

andrea · August 3, 2022, 4:11pm

What’s the value of the iss claim in your token and does it match the /revoke URL you are using? You want to make sure you make the revocation call to the same authorization server, aka iss/v1/revoke

manoj-matellio · August 4, 2022, 6:33am

https://dev-45144393.okta.com/oauth2/v1/introspect
https://dev-45144393.okta.com/oauth2/v1/revoke

{
ver: 1,
jti: ‘AT.SF4NwZkvomCNB4oy0Dl3ZzijXy0gfHvs_ZbcZONY-OM’,
iss: ‘https://dev-45144393.okta.com/oauth2/default’,
aud: ‘api://default’,
iat: 1659593366,
exp: 1659596966,
cid: ‘0oahclrvabTRx8ohK6r3’,
uid: ‘00ufzb7ilbgqDmEKk2p7’,
scp: [ ‘openid’, ‘profile’, ‘email’ ],
auth_time: 1659589604,
sub: ‘manoj@yopmail.com’
}

This is claim, and url above, which i am using, and really i am getting false status for active token, before and after revoke

andrea · August 4, 2022, 9:21pm

Based on the iss in the token payload you’ve shared, you should be using the following endpoints instead:
https://dev-45144393.okta.com/oauth2/default/v1/introspect
https://dev-45144393.okta.com/oauth2/default/v1/revoke

manoj-matellio · August 5, 2022, 2:45pm

Thank you so much @andrea , Its working as expected. Great thanks

system · August 6, 2022, 2:46pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Getting 200 OK while calling /v1/revoke/ API but my access token is still working OAuth/OIDC	5	39	November 7, 2024
Inactive token still works OAuth/OIDC	10	4824	March 25, 2021
After revoking the access token, when I introspect the token, I am still getting "active: true" OAuth/OIDC api	3	4312	October 3, 2019
Okta token still active even although signed out or revoked Questions	5	4916	February 13, 2024
Introspect api always return "active" false for validating access token OAuth/OIDC	5	9239	July 27, 2018

Revoke API not working

Related topics