Forum Discussion

Cirrocumulus

May 13, 2020

F5 oauth server refresh token revocation

Dear All, I am working on a F5 as the oauth server provider which provides JWT access tokens for oauth clients, everything works fine but now we want to know how to revoke the access / refresh ...

application delivery

BIG-IP Access Policy Manager (APM)

oauth

revocation

Dave_W

Employee

May 14, 2020

Hello Marvin, the Token Revocation Endpoint is not supported with JWT tokens, only with Opaque tokens. As far as I can tell from doing some searching on JWT it appears the short answer is you can not revoke them.

Marvin
Cirrocumulus
May 14, 2020
Hi Dave, thanks for your answer i dont understand why it shouldnt support this, so you are basically saying that I need an RFE to support this within F5 APM oauth?

For security tt is required to invalidate the JWT access token when a user logs out, because if someone steals the refresh token it could be used to retrieve and access token, but I guess you got my point.

Do you have any reference material that indicates this how are you so sure?

Furthermore do you know how to invalidate opaque tokens how a revocation request should be crafted and send to F5 oauth server, I could give it a try.

Thanks for the help
Marvin
Cirrocumulus
May 14, 2020
Hi Dave, I found the reference and indeed not supported, I have to see if this is acceptable from security point of view. Thanks for the heads up!