Revoke Token call does not expired accessToken

datamotion2022 · July 6, 2022, 9:33pm

Event log for revoke token

severity,event_type,display_message,uuid,version,timestamp,outcome.result,outcome.reason,actor.id,actor.type,actor.display_name,actor.alternate_id,authentication_context.authentication_step,authentication_context.authentication_provider,authentication_context.credential_provider,authentication_context.credential_type,authentication_context.issuer,authentication_context.external_session_id,client.zone,client.ip_address,client.device,client.user_agent.raw_user_agent,client.user_agent.os,client.user_agent.browser,client.geographical_context.country,client.geographical_context.city,client.geographical_context.postal_code,client.geographical_context.geolocation.lon,client.geographical_context.geolocation.lat,transaction.id,transaction.type,debug_context.debug_data.request_uri,legacy_event_type,target0.id,target0.type,target0.alternate_id,target0.display_name,target1.id,target1.type,target1.alternate_id,target1.display_name,target2.id,target2.type,target2.alternate_id,target2.display_name,target3.id,target3.type,target3.alternate_id,target3.display_name,request.ip_chain.geographical_context.postal_code,request.ip_chain.geographical_context.geolocation.lon,request.ip_chain.geographical_context.geolocation.lat,request.ip_chain.geographical_context.geolocation.state,request.ip_chain.ip,request.ip_chain.source,request.ip_chain.version
“INFO”,“app.oauth2.as.token.revoke”,“OAuth2 token revocation request”,“9aad6fea-fd63-11ec-897a-a7d2c3e4512c”,“0”,“2022-07-06T19:41:18.029Z”,“SUCCESS”,“”,“0oa5n47mgeIRL1bX85d7”,“PublicClientApp”,“MySPA”,“0oa5n47mgeIRL1bX85d7”,“0”,“”,“”,“”,“”,“unknown”,“null”,“207.99.59.92”,“Computer”,“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36”,“Windows 10”,“CHROME”,“United States”,“Jersey City”,“07305”,“-74.0866”,“40.7053”,“YsXlXUpC4kGnpoJtoFrvsgAADlo”,“WEB”,“/oauth2/default/v1/revoke”,“app.oauth2.as.token.revoke_success”,“AT.r5vPHQlCsMRiNFRNyJKVBBUEKVzOMF1GHa9AafqExOo”,“access_token”,“”,“Access Token”,“”,“”,“”,“”,“”,“”,“”,“”,“”,“”,“”,“”,“07305”,“-74.0866”,“40.7053”,“New Jersey”,“207.99.59.92”,“”,“V4”

C# API Code to check token expiration after logut on client SPA app

private static JwtSecurityToken GetJwtValidateToken(
string token,
string issuer, string oktaClientId,
CancellationToken ct = default(CancellationToken))
{
if (string.IsNullOrEmpty(token)) throw new ArgumentNullException(nameof(token));
if (string.IsNullOrEmpty(issuer)) throw new ArgumentNullException(nameof(issuer));

        var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
            issuer + "/.well-known/oauth-authorization-server",
            new OpenIdConnectConfigurationRetriever(),
            new HttpDocumentRetriever());

        var discoveryDocument = configurationManager.GetConfigurationAsync(ct).GetAwaiter().GetResult();
        var signingKeys = discoveryDocument.SigningKeys;

        var validationParameters = new TokenValidationParameters
        {
            RequireExpirationTime = true,
            RequireSignedTokens = true,
            ValidateIssuer = true,
            ValidIssuer = issuer,
            ValidateIssuerSigningKey = true,
            IssuerSigningKeys = signingKeys,
            ValidateLifetime = true,
            // Allow for some drift in server time
            // (a lower value is better; we recommend two minutes or less)
            ClockSkew = TimeSpan.Zero,
            // See additional validation for aud below
            ValidateAudience = true,
            ValidAudience = "api://default"

        };

        try
        {
            var principal = new JwtSecurityTokenHandler()
                .ValidateToken(token, validationParameters, out var rawValidatedToken);

            return (JwtSecurityToken)rawValidatedToken;
        }
        catch (SecurityTokenValidationException ex)
        {
            // Logging, etc.

            throw ex;
        }
    }

result.ValidTo
{7/6/2022 8:40:57 PM}
Date: {7/6/2022 12:00:00 AM}
Day: 6
DayOfWeek: Wednesday
DayOfYear: 187
Hour: 20
Kind: Utc
Millisecond: 0
Minute: 40
Month: 7
Second: 57
Ticks: 637927368570000000
TimeOfDay: {20:40:57}
Year: 2022

DateTime.UtcNow
{7/6/2022 8:40:33 PM}
Date: {7/6/2022 12:00:00 AM}
Day: 6
DayOfWeek: Wednesday
DayOfYear: 187
Hour: 20
Kind: Utc
Millisecond: 825
Minute: 40
Month: 7
Second: 33
Ticks: 637927368338256198
TimeOfDay: {20:40:33.8256198}
Year: 2022

{ {
“kid”: “4MR3yJg4wF0G9yy2XbzvDR281as99HOqbS1evxXZgZQ”,
“alg”: “RS256”
}
.{
“ver”: 1,
“jti”: “AT.r5vPHQlCsMRiNFRNyJKVBBUEKVzOMF1GHa9AafqExOo”,
“iss”: “https://dev-25217339.okta.com/oauth2/default”,
“aud”: “api://default”,
“iat”: 1657136457,
“exp”: 1657140057,
“cid”: “0oa5n47mgeIRL1bX85d7”,
“uid”: “00u5ldjn17bdQWbct5d7”,
“scp”: [“profile”, “openid”, “email”],
“auth_time”: 1657136456,
“sub”: “datamotion2022+1@gmail.com”
}
}

acessToken “eyJraWQiOiI0TVIzeUpnNHdGMEc5eXkyWGJ6dkRSMjgxYXM5OUhPcWJTMWV2eFhaZ1pRIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULnI1dlBIUWxDc01SaU5GUk55SktWQkJVRUtWek9NRjFHSGE5QWFmcUV4T28iLCJpc3MiOiJodHRwczovL2Rldi0yNTIxNzMzOS5va3RhLmNvbS9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE2NTcxMzY0NTcsImV4cCI6MTY1NzE0MDA1NywiY2lkIjoiMG9hNW40N21nZUlSTDFiWDg1ZDciLCJ1aWQiOiIwMHU1bGRqbjE3YmRRV2JjdDVkNyIsInNjcCI6WyJwcm9maWxlIiwib3BlbmlkIiwiZW1haWwiXSwiYXV0aF90aW1lIjoxNjU3MTM2NDU2LCJzdWIiOiJkYXRhbW90aW9uMjAyMisxQGdtYWlsLmNvbSJ9.AER0GeA-lgMtwyqxjwgNrFf-SomeY-Vk9Lyb32TnifGExv2Z9Tr7HwfBhZ56N-TW6YnbZdLMumNVVeHRTZRX84Hfx9adKzveSeXAe_d3lrl_Hq702Ch3fRCK9tmMYGY9P0kAQWm_SVs__6q2kT6sPwTNo4Z2DWpnOI3YrIyUVpOqCV0NOmb-MOiTC_pxALQHXk7gTdvpv31VMFm75SJOt0zWBV_7pzR3mhi5BgA98WDBx-6Ydu4C92fARkrBRIxHrf8axEn9rrhjNkFzoPbqTnRwzozmOmyqNQMMlBh_SFTfXc2mouLBdWNrhrajFl5Hvg22J80dMLunw1XmvPQkTA”

Angular SPA code
await this._oktaAuth.revokeAccessToken();
await this._oktaAuth.revokeRefreshToken();
this._oktaAuth.tokenManager.clear();
await this._oktaAuth.signOut({revokeAccessToken: true});
const token2 = await this._oktaAuth.getAccessToken(); // I have confirmed that this is the correct access token
await this._oktaAuth.signOut();

phi1ipp · July 6, 2022, 10:42pm

my eyes hurt to see that if you want people to answer you, maybe it’s worth putting some effort in making it readable

datamotion2022 · July 6, 2022, 11:18pm

I am so sorry , appreciate your help!

here is the scenario , I have client app Angular spa as mentioned at
Sign users in to your SPA using the redirect model | Okta Developer

I am consuming custom .NET API to validate access Token from above angular app to my API and revalidating Access token using C# code (i.e. private static JwtSecurityToken GetJwtValidateToken()

Now user within client app (angular ) signout will call revoke endpoint from Agnular to okta
I see event log entry is success

I am re-validating Same access token in custom .NET API by comparing ValidTo (of JwtSecurityToken ) of result - which I believe should expired after revoke

Thank you in advance

warren · July 6, 2022, 11:27pm

I believe your question is similar to this post:

phi1ipp · July 6, 2022, 11:31pm

Yeah, I’m not sure how C# API performs validation, it’s not clear from the code posted here. If they only do local validation, you will never see anything wrong with the token, until it’s expired

datamotion2022 · July 7, 2022, 1:20pm

Thank you warren!

I am calling /revoke endpoint to revoke the access tokens when the user has logged out of from application. But still token validated as valid from C# API call - below is the code snippet

var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
                issuer + "/.well-known/oauth-authorization-server",
                new OpenIdConnectConfigurationRetriever(),
                new HttpDocumentRetriever());

            var discoveryDocument = configurationManager.GetConfigurationAsync(ct).GetAwaiter().GetResult();
            var signingKeys = discoveryDocument.SigningKeys;

            var validationParameters = new TokenValidationParameters
            {
                RequireExpirationTime = true,
                RequireSignedTokens = true,
                ValidateIssuer = true,
                ValidIssuer = issuer,
                ValidateIssuerSigningKey = true,
                IssuerSigningKeys = signingKeys,
                ValidateLifetime = true,
                // Allow for some drift in server time
                // (a lower value is better; we recommend two minutes or less)
                ClockSkew = TimeSpan.FromMinutes(2),
                // See additional validation for aud below
                ValidateAudience = false
            };


                var principal = new JwtSecurityTokenHandler()
                    .ValidateToken(token, validationParameters, out var rawValidatedToken);

                return (JwtSecurityToken)rawValidatedToken;

And ValidTo (of JwtSecurityToken) property is same date and time as original token

Does /revoke set/change ValidTo of refresh token ?

datamotion2022 · July 7, 2022, 1:21pm

Thank you philipp
Does /revoke set/change ValidTo of refresh token ?

phi1ipp · July 7, 2022, 1:43pm

/revoke marks the token as invalid for authorization server, so next time a user comes with this token, they will be rejected. So the answer is no it does not do anything to the token which you are already holding on your hands.

Post		Replies	Views
Getting 200 OK while calling /v1/revoke/ API but my access token is still working OAuth/OIDC	5	180	November 7, 2024
Native Application logout Questions	9	3758	January 24, 2024
RevokeAccessToken() function is not revoking the token OAuth/OIDC	2	3365	January 26, 2024
Revoking user session via dotnet okta SDK still allows authenticated user to access .net web api API dotnet , api , angular	6	1077	June 5, 2024
Inactive token still works OAuth/OIDC	10	4907	March 25, 2021

Revoke Token call does not expired accessToken

Related topics