Revoke Token call does not expired accessToken

Event log for revoke token

severity,event_type,display_message,uuid,version,timestamp,outcome.result,outcome.reason,actor.id,actor.type,actor.display_name,actor.alternate_id,authentication_context.authentication_step,authentication_context.authentication_provider,authentication_context.credential_provider,authentication_context.credential_type,authentication_context.issuer,authentication_context.external_session_id,client.zone,client.ip_address,client.device,client.user_agent.raw_user_agent,client.user_agent.os,client.user_agent.browser,client.geographical_context.country,client.geographical_context.city,client.geographical_context.postal_code,client.geographical_context.geolocation.lon,client.geographical_context.geolocation.lat,transaction.id,transaction.type,debug_context.debug_data.request_uri,legacy_event_type,target0.id,target0.type,target0.alternate_id,target0.display_name,target1.id,target1.type,target1.alternate_id,target1.display_name,target2.id,target2.type,target2.alternate_id,target2.display_name,target3.id,target3.type,target3.alternate_id,target3.display_name,request.ip_chain.geographical_context.postal_code,request.ip_chain.geographical_context.geolocation.lon,request.ip_chain.geographical_context.geolocation.lat,request.ip_chain.geographical_context.geolocation.state,request.ip_chain.ip,request.ip_chain.source,request.ip_chain.version
“INFO”,“app.oauth2.as.token.revoke”,“OAuth2 token revocation request”,“9aad6fea-fd63-11ec-897a-a7d2c3e4512c”,“0”,“2022-07-06T19:41:18.029Z”,“SUCCESS”,“”,“0oa5n47mgeIRL1bX85d7”,“PublicClientApp”,“MySPA”,“0oa5n47mgeIRL1bX85d7”,“0”,“”,“”,“”,“”,“unknown”,“null”,“207.99.59.92”,“Computer”,“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36”,“Windows 10”,“CHROME”,“United States”,“Jersey City”,“07305”,“-74.0866”,“40.7053”,“YsXlXUpC4kGnpoJtoFrvsgAADlo”,“WEB”,“/oauth2/default/v1/revoke”,“app.oauth2.as.token.revoke_success”,“AT.r5vPHQlCsMRiNFRNyJKVBBUEKVzOMF1GHa9AafqExOo”,“access_token”,“”,“Access Token”,“”,“”,“”,“”,“”,“”,“”,“”,“”,“”,“”,“”,“07305”,“-74.0866”,“40.7053”,“New Jersey”,“207.99.59.92”,“”,“V4”

C# API Code to check token expiration after logut on client SPA app

private static JwtSecurityToken GetJwtValidateToken(
string token,
string issuer, string oktaClientId,
CancellationToken ct = default(CancellationToken))
{
if (string.IsNullOrEmpty(token)) throw new ArgumentNullException(nameof(token));
if (string.IsNullOrEmpty(issuer)) throw new ArgumentNullException(nameof(issuer));

        var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
            issuer + "/.well-known/oauth-authorization-server",
            new OpenIdConnectConfigurationRetriever(),
            new HttpDocumentRetriever());

        var discoveryDocument = configurationManager.GetConfigurationAsync(ct).GetAwaiter().GetResult();
        var signingKeys = discoveryDocument.SigningKeys;

        var validationParameters = new TokenValidationParameters
        {
            RequireExpirationTime = true,
            RequireSignedTokens = true,
            ValidateIssuer = true,
            ValidIssuer = issuer,
            ValidateIssuerSigningKey = true,
            IssuerSigningKeys = signingKeys,
            ValidateLifetime = true,
            // Allow for some drift in server time
            // (a lower value is better; we recommend two minutes or less)
            ClockSkew = TimeSpan.Zero,
            // See additional validation for aud below
            ValidateAudience = true,
            ValidAudience = "api://default"

        };

        try
        {
            var principal = new JwtSecurityTokenHandler()
                .ValidateToken(token, validationParameters, out var rawValidatedToken);

            return (JwtSecurityToken)rawValidatedToken;
        }
        catch (SecurityTokenValidationException ex)
        {
            // Logging, etc.

            throw ex;
        }
    }

result.ValidTo
{7/6/2022 8:40:57 PM}
Date: {7/6/2022 12:00:00 AM}
Day: 6
DayOfWeek: Wednesday
DayOfYear: 187
Hour: 20
Kind: Utc
Millisecond: 0
Minute: 40
Month: 7
Second: 57
Ticks: 637927368570000000
TimeOfDay: {20:40:57}
Year: 2022

DateTime.UtcNow
{7/6/2022 8:40:33 PM}
Date: {7/6/2022 12:00:00 AM}
Day: 6
DayOfWeek: Wednesday
DayOfYear: 187
Hour: 20
Kind: Utc
Millisecond: 825
Minute: 40
Month: 7
Second: 33
Ticks: 637927368338256198
TimeOfDay: {20:40:33.8256198}
Year: 2022

{ {
“kid”: “4MR3yJg4wF0G9yy2XbzvDR281as99HOqbS1evxXZgZQ”,
“alg”: “RS256”
}
.{
“ver”: 1,
“jti”: “AT.r5vPHQlCsMRiNFRNyJKVBBUEKVzOMF1GHa9AafqExOo”,
“iss”: “https://dev-25217339.okta.com/oauth2/default”,
“aud”: “api://default”,
“iat”: 1657136457,
“exp”: 1657140057,
“cid”: “0oa5n47mgeIRL1bX85d7”,
“uid”: “00u5ldjn17bdQWbct5d7”,
“scp”: [“profile”, “openid”, “email”],
“auth_time”: 1657136456,
“sub”: “datamotion2022+1@gmail.com
}
}

acessToken “eyJraWQiOiI0TVIzeUpnNHdGMEc5eXkyWGJ6dkRSMjgxYXM5OUhPcWJTMWV2eFhaZ1pRIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULnI1dlBIUWxDc01SaU5GUk55SktWQkJVRUtWek9NRjFHSGE5QWFmcUV4T28iLCJpc3MiOiJodHRwczovL2Rldi0yNTIxNzMzOS5va3RhLmNvbS9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE2NTcxMzY0NTcsImV4cCI6MTY1NzE0MDA1NywiY2lkIjoiMG9hNW40N21nZUlSTDFiWDg1ZDciLCJ1aWQiOiIwMHU1bGRqbjE3YmRRV2JjdDVkNyIsInNjcCI6WyJwcm9maWxlIiwib3BlbmlkIiwiZW1haWwiXSwiYXV0aF90aW1lIjoxNjU3MTM2NDU2LCJzdWIiOiJkYXRhbW90aW9uMjAyMisxQGdtYWlsLmNvbSJ9.AER0GeA-lgMtwyqxjwgNrFf-SomeY-Vk9Lyb32TnifGExv2Z9Tr7HwfBhZ56N-TW6YnbZdLMumNVVeHRTZRX84Hfx9adKzveSeXAe_d3lrl_Hq702Ch3fRCK9tmMYGY9P0kAQWm_SVs__6q2kT6sPwTNo4Z2DWpnOI3YrIyUVpOqCV0NOmb-MOiTC_pxALQHXk7gTdvpv31VMFm75SJOt0zWBV_7pzR3mhi5BgA98WDBx-6Ydu4C92fARkrBRIxHrf8axEn9rrhjNkFzoPbqTnRwzozmOmyqNQMMlBh_SFTfXc2mouLBdWNrhrajFl5Hvg22J80dMLunw1XmvPQkTA”

Angular SPA code
await this._oktaAuth.revokeAccessToken();
await this._oktaAuth.revokeRefreshToken();
this._oktaAuth.tokenManager.clear();
await this._oktaAuth.signOut({revokeAccessToken: true});
const token2 = await this._oktaAuth.getAccessToken(); // I have confirmed that this is the correct access token
await this._oktaAuth.signOut();

my eyes hurt to see that :slight_smile: if you want people to answer you, maybe it’s worth putting some effort in making it readable

I am so sorry , appreciate your help!

here is the scenario , I have client app Angular spa as mentioned at
Sign users in to your SPA using the redirect model | Okta Developer

I am consuming custom .NET API to validate access Token from above angular app to my API and revalidating Access token using C# code (i.e. private static JwtSecurityToken GetJwtValidateToken()

Now user within client app (angular ) signout will call revoke endpoint from Agnular to okta
I see event log entry is success

I am re-validating Same access token in custom .NET API by comparing ValidTo (of JwtSecurityToken ) of result - which I believe should expired after revoke

Thank you in advance

I believe your question is similar to this post:

1 Like

Yeah, I’m not sure how C# API performs validation, it’s not clear from the code posted here. If they only do local validation, you will never see anything wrong with the token, until it’s expired

1 Like

Thank you warren!

I am calling /revoke endpoint to revoke the access tokens when the user has logged out of from application. But still token validated as valid from C# API call - below is the code snippet

var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
                issuer + "/.well-known/oauth-authorization-server",
                new OpenIdConnectConfigurationRetriever(),
                new HttpDocumentRetriever());

            var discoveryDocument = configurationManager.GetConfigurationAsync(ct).GetAwaiter().GetResult();
            var signingKeys = discoveryDocument.SigningKeys;

            var validationParameters = new TokenValidationParameters
            {
                RequireExpirationTime = true,
                RequireSignedTokens = true,
                ValidateIssuer = true,
                ValidIssuer = issuer,
                ValidateIssuerSigningKey = true,
                IssuerSigningKeys = signingKeys,
                ValidateLifetime = true,
                // Allow for some drift in server time
                // (a lower value is better; we recommend two minutes or less)
                ClockSkew = TimeSpan.FromMinutes(2),
                // See additional validation for aud below
                ValidateAudience = false
            };


                var principal = new JwtSecurityTokenHandler()
                    .ValidateToken(token, validationParameters, out var rawValidatedToken);

                return (JwtSecurityToken)rawValidatedToken;
            

And ValidTo (of JwtSecurityToken) property is same date and time as original token

Does /revoke set/change ValidTo of refresh token ?

Thank you philipp
Does /revoke set/change ValidTo of refresh token ?

/revoke marks the token as invalid for authorization server, so next time a user comes with this token, they will be rejected. So the answer is no it does not do anything to the token which you are already holding on your hands.

2 Likes