Revoke Token call does not expired accessToken

Event log for revoke token

severity,event_type,display_message,uuid,version,timestamp,outcome.result,outcome.reason,actor.id,actor.type,actor.display_name,actor.alternate_id,authentication_context.authentication_step,authentication_context.authentication_provider,authentication_context.credential_provider,authentication_context.credential_type,authentication_context.issuer,authentication_context.external_session_id,client.zone,client.ip_address,client.device,client.user_agent.raw_user_agent,client.user_agent.os,client.user_agent.browser,client.geographical_context.country,client.geographical_context.city,client.geographical_context.postal_code,client.geographical_context.geolocation.lon,client.geographical_context.geolocation.lat,transaction.id,transaction.type,debug_context.debug_data.request_uri,legacy_event_type,target0.id,target0.type,target0.alternate_id,target0.display_name,target1.id,target1.type,target1.alternate_id,target1.display_name,target2.id,target2.type,target2.alternate_id,target2.display_name,target3.id,target3.type,target3.alternate_id,target3.display_name,request.ip_chain.geographical_context.postal_code,request.ip_chain.geographical_context.geolocation.lon,request.ip_chain.geographical_context.geolocation.lat,request.ip_chain.geographical_context.geolocation.state,request.ip_chain.ip,request.ip_chain.source,request.ip_chain.version
“INFO”,“app.oauth2.as.token.revoke”,“OAuth2 token revocation request”,“9aad6fea-fd63-11ec-897a-a7d2c3e4512c”,“0”,“2022-07-06T19:41:18.029Z”,“SUCCESS”,“”,“0oa5n47mgeIRL1bX85d7”,“PublicClientApp”,“MySPA”,“0oa5n47mgeIRL1bX85d7”,“0”,“”,“”,“”,“”,“unknown”,“null”,“207.99.59.92”,“Computer”,“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36”,“Windows 10”,“CHROME”,“United States”,“Jersey City”,“07305”,“-74.0866”,“40.7053”,“YsXlXUpC4kGnpoJtoFrvsgAADlo”,“WEB”,“/oauth2/default/v1/revoke”,“app.oauth2.as.token.revoke_success”,“AT.r5vPHQlCsMRiNFRNyJKVBBUEKVzOMF1GHa9AafqExOo”,“access_token”,“”,“Access Token”,“”,“”,“”,“”,“”,“”,“”,“”,“”,“”,“”,“”,“07305”,“-74.0866”,“40.7053”,“New Jersey”,“207.99.59.92”,“”,“V4”

C# API Code to check token expiration after logut on client SPA app

private static JwtSecurityToken GetJwtValidateToken(
string token,
string issuer, string oktaClientId,
CancellationToken ct = default(CancellationToken))
{
if (string.IsNullOrEmpty(token)) throw new ArgumentNullException(nameof(token));
if (string.IsNullOrEmpty(issuer)) throw new ArgumentNullException(nameof(issuer));

        var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
            issuer + "/.well-known/oauth-authorization-server",
            new OpenIdConnectConfigurationRetriever(),
            new HttpDocumentRetriever());

        var discoveryDocument = configurationManager.GetConfigurationAsync(ct).GetAwaiter().GetResult();
        var signingKeys = discoveryDocument.SigningKeys;

        var validationParameters = new TokenValidationParameters
        {
            RequireExpirationTime = true,
            RequireSignedTokens = true,
            ValidateIssuer = true,
            ValidIssuer = issuer,
            ValidateIssuerSigningKey = true,
            IssuerSigningKeys = signingKeys,
            ValidateLifetime = true,
            // Allow for some drift in server time
            // (a lower value is better; we recommend two minutes or less)
            ClockSkew = TimeSpan.Zero,
            // See additional validation for aud below
            ValidateAudience = true,
            ValidAudience = "api://default"

        };

        try
        {
            var principal = new JwtSecurityTokenHandler()
                .ValidateToken(token, validationParameters, out var rawValidatedToken);

            return (JwtSecurityToken)rawValidatedToken;
        }
        catch (SecurityTokenValidationException ex)
        {
            // Logging, etc.

            throw ex;
        }
    }

result.ValidTo
{7/6/2022 8:40:57 PM}
Date: {7/6/2022 12:00:00 AM}
Day: 6
DayOfWeek: Wednesday
DayOfYear: 187
Hour: 20
Kind: Utc
Millisecond: 0
Minute: 40
Month: 7
Second: 57
Ticks: 637927368570000000
TimeOfDay: {20:40:57}
Year: 2022

DateTime.UtcNow
{7/6/2022 8:40:33 PM}
Date: {7/6/2022 12:00:00 AM}
Day: 6
DayOfWeek: Wednesday
DayOfYear: 187
Hour: 20
Kind: Utc
Millisecond: 825
Minute: 40
Month: 7
Second: 33
Ticks: 637927368338256198
TimeOfDay: {20:40:33.8256198}
Year: 2022

{ {
“kid”: “4MR3yJg4wF0G9yy2XbzvDR281as99HOqbS1evxXZgZQ”,
“alg”: “RS256”
}
.{
“ver”: 1,
“jti”: “AT.r5vPHQlCsMRiNFRNyJKVBBUEKVzOMF1GHa9AafqExOo”,
“iss”: “https://dev-25217339.okta.com/oauth2/default”,
“aud”: “api://default”,
“iat”: 1657136457,
“exp”: 1657140057,
“cid”: “0oa5n47mgeIRL1bX85d7”,
“uid”: “00u5ldjn17bdQWbct5d7”,
“scp”: [“profile”, “openid”, “email”],
“auth_time”: 1657136456,
“sub”: “datamotion2022+1@gmail.com”
}
}

acessToken “eyJraWQiOiI0TVIzeUpnNHdGMEc5eXkyWGJ6dkRSMjgxYXM5OUhPcWJTMWV2eFhaZ1pRIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULnI1dlBIUWxDc01SaU5GUk55SktWQkJVRUtWek9NRjFHSGE5QWFmcUV4T28iLCJpc3MiOiJodHRwczovL2Rldi0yNTIxNzMzOS5va3RhLmNvbS9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE2NTcxMzY0NTcsImV4cCI6MTY1NzE0MDA1NywiY2lkIjoiMG9hNW40N21nZUlSTDFiWDg1ZDciLCJ1aWQiOiIwMHU1bGRqbjE3YmRRV2JjdDVkNyIsInNjcCI6WyJwcm9maWxlIiwib3BlbmlkIiwiZW1haWwiXSwiYXV0aF90aW1lIjoxNjU3MTM2NDU2LCJzdWIiOiJkYXRhbW90aW9uMjAyMisxQGdtYWlsLmNvbSJ9.AER0GeA-lgMtwyqxjwgNrFf-SomeY-Vk9Lyb32TnifGExv2Z9Tr7HwfBhZ56N-TW6YnbZdLMumNVVeHRTZRX84Hfx9adKzveSeXAe_d3lrl_Hq702Ch3fRCK9tmMYGY9P0kAQWm_SVs__6q2kT6sPwTNo4Z2DWpnOI3YrIyUVpOqCV0NOmb-MOiTC_pxALQHXk7gTdvpv31VMFm75SJOt0zWBV_7pzR3mhi5BgA98WDBx-6Ydu4C92fARkrBRIxHrf8axEn9rrhjNkFzoPbqTnRwzozmOmyqNQMMlBh_SFTfXc2mouLBdWNrhrajFl5Hvg22J80dMLunw1XmvPQkTA”

Angular SPA code
await this._oktaAuth.revokeAccessToken();
await this._oktaAuth.revokeRefreshToken();
this._oktaAuth.tokenManager.clear();
await this._oktaAuth.signOut({revokeAccessToken: true});
const token2 = await this._oktaAuth.getAccessToken(); // I have confirmed that this is the correct access token
await this._oktaAuth.signOut();

my eyes hurt to see that if you want people to answer you, maybe it’s worth putting some effort in making it readable

I am so sorry , appreciate your help!

here is the scenario , I have client app Angular spa as mentioned at
Sign users in to your SPA using the redirect model | Okta Developer

I am consuming custom .NET API to validate access Token from above angular app to my API and revalidating Access token using C# code (i.e. private static JwtSecurityToken GetJwtValidateToken()

Now user within client app (angular ) signout will call revoke endpoint from Agnular to okta
I see event log entry is success

I am re-validating Same access token in custom .NET API by comparing ValidTo (of JwtSecurityToken ) of result - which I believe should expired after revoke

Thank you in advance

I believe your question is similar to this post:

Yeah, I’m not sure how C# API performs validation, it’s not clear from the code posted here. If they only do local validation, you will never see anything wrong with the token, until it’s expired

Thank you warren!

I am calling /revoke endpoint to revoke the access tokens when the user has logged out of from application. But still token validated as valid from C# API call - below is the code snippet

var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
                issuer + "/.well-known/oauth-authorization-server",
                new OpenIdConnectConfigurationRetriever(),
                new HttpDocumentRetriever());

            var discoveryDocument = configurationManager.GetConfigurationAsync(ct).GetAwaiter().GetResult();
            var signingKeys = discoveryDocument.SigningKeys;

            var validationParameters = new TokenValidationParameters
            {
                RequireExpirationTime = true,
                RequireSignedTokens = true,
                ValidateIssuer = true,
                ValidIssuer = issuer,
                ValidateIssuerSigningKey = true,
                IssuerSigningKeys = signingKeys,
                ValidateLifetime = true,
                // Allow for some drift in server time
                // (a lower value is better; we recommend two minutes or less)
                ClockSkew = TimeSpan.FromMinutes(2),
                // See additional validation for aud below
                ValidateAudience = false
            };


                var principal = new JwtSecurityTokenHandler()
                    .ValidateToken(token, validationParameters, out var rawValidatedToken);

                return (JwtSecurityToken)rawValidatedToken;
            

And ValidTo (of JwtSecurityToken) property is same date and time as original token

Does /revoke set/change ValidTo of refresh token ?

Thank you philipp
Does /revoke set/change ValidTo of refresh token ?

/revoke marks the token as invalid for authorization server, so next time a user comes with this token, they will be rejected. So the answer is no it does not do anything to the token which you are already holding on your hands.