Forum Discussion
Marvin
Cirrocumulus
CirrocumulusF5 oauth server refresh token revocation
Dear All, I am working on a F5 as the oauth server provider which provides JWT access tokens for oauth clients, everything works fine but now we want to know how to revoke the access / refresh ...
Dave_W
Employee
EmployeeHello Marvin, the Token Revocation Endpoint is not supported with JWT tokens, only with Opaque tokens. As far as I can tell from doing some searching on JWT it appears the short answer is you can not revoke them.
MarvinCirrocumulus
CirrocumulusHi Dave, thanks for your answer i dont understand why it shouldnt support this, so you are basically saying that I need an RFE to support this within F5 APM oauth?
For security tt is required to invalidate the JWT access token when a user logs out, because if someone steals the refresh token it could be used to retrieve and access token, but I guess you got my point.
Do you have any reference material that indicates this how are you so sure?
Furthermore do you know how to invalidate opaque tokens how a revocation request should be crafted and send to F5 oauth server, I could give it a try.
Thanks for the help