Forum Discussion
F5 oauth server refresh token revocation
Hello Marvin, the Token Revocation Endpoint is not supported with JWT tokens, only with Opaque tokens. As far as I can tell from doing some searching on JWT it appears the short answer is you can not revoke them.
Hi Dave, thanks for your answer i dont understand why it shouldnt support this, so you are basically saying that I need an RFE to support this within F5 APM oauth?
For security tt is required to invalidate the JWT access token when a user logs out, because if someone steals the refresh token it could be used to retrieve and access token, but I guess you got my point.
Do you have any reference material that indicates this how are you so sure?
Furthermore do you know how to invalidate opaque tokens how a revocation request should be crafted and send to F5 oauth server, I could give it a try.
Thanks for the help
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com