Forum Discussion

Marvin's avatar
Marvin
Icon for Cirrocumulus rankCirrocumulus
May 13, 2020

F5 oauth server refresh token revocation

Dear All,

 

I am working on a F5 as the oauth server provider which provides JWT access tokens for oauth clients, everything works fine but now we want to know how to revoke the access / refresh tokens on the F5 oauth server.

 

The endpoint is /f5-oauth2/v1/revoke in the payload post data we set the following parameters.

 

client_id=we put the value here

client_secret=we put the value here

grant_type=refresh_token

token_content_type=jwt

refresh_token=we put the value here

We receive the response below:

 

 "error": "invalid_request",

  "error_description": "Required parameter (access_token or refresh_token) is missing"

}

 

Someone an idea how to modify the request to allow revocation to occur on the F5 oauth server?

application delivery
BIG-IP Access Policy Manager (APM)
oauth
revocation
  • Dave_W's avatar
    Dave_W
    Icon for Employee rankEmployee
    May 14, 2020

    ​Hello Marvin, the Token Revocation Endpoint is not supported with JWT tokens, only with Opaque tokens. As far as I can tell from doing some searching on JWT it appears the short answer is you can not revoke them.

    • Marvin's avatar
      Marvin
      Icon for Cirrocumulus rankCirrocumulus
      May 14, 2020

      Hi Dave, thanks for your answer i dont understand why it shouldnt support this, so you are basically saying that I need an RFE to support this within F5 APM oauth?

      For security​ tt is required to invalidate the JWT access token when a user logs out, because if someone steals the refresh token it could be used to retrieve and access token, but I guess you got my point.

      Do you have any reference material that indicates this how are you so sure?

      Furthermore do you know how to invalidate opaque tokens how a revocation request should be crafted and send to F5 oauth server, I could give it a try.

      Thanks for the help

    • Marvin's avatar
      Marvin
      Icon for Cirrocumulus rankCirrocumulus
      May 14, 2020

      Hi Dave, I found the reference and indeed not supported, I have to see if this is acceptable from security point of view. Thanks for the heads up!​

  • Marvin's avatar
    Marvin
    Icon for Cirrocumulus rankCirrocumulus
    May 14, 2020

    https://techdocs.f5.com/kb/en-us/products/big-iq-centralized-mgmt/manuals/product/bigiq-central-mgmt-access-5-4-0/6.html

  • Marvin's avatar
    Marvin
    Icon for Cirrocumulus rankCirrocumulus
    May 14, 2020
    1. For JWT Access Token Lifetime, type a number.
    2. This specifies the number of minutes a JWT access token is considered valid. In specifying this lifetime, consider that JWT access tokens cannot be revoked.
    3. For JWT Generate Refresh Token, select Enabled so the OAuth authorization server generates a refresh token in addition to the access token for authorization code and resource owner credential grants.
    4. For JWT Refresh Token Lifetime, type a number.
    5. This specifies the number of minutes a refresh token is considered valid. In specifying this lifetime, consider that JWT refresh tokens cannot be revoked.

     

  • Marvin's avatar
    Marvin
    Icon for Cirrocumulus rankCirrocumulus
    May 15, 2020

    it seems they already addressed this issue

     

    Bug alias 679219 [OAuth AS] [RFE] Support revocation of JWT refresh token