Forum Discussion
F5 oauth server refresh token revocation
Dear All,
I am working on a F5 as the oauth server provider which provides JWT access tokens for oauth clients, everything works fine but now we want to know how to revoke the access / refresh tokens on the F5 oauth server.
The endpoint is /f5-oauth2/v1/revoke in the payload post data we set the following parameters.
client_id=we put the value here
client_secret=we put the value here
grant_type=refresh_token
token_content_type=jwt
refresh_token=we put the value here
We receive the response below:
"error": "invalid_request",
"error_description": "Required parameter (access_token or refresh_token) is missing"
}
Someone an idea how to modify the request to allow revocation to occur on the F5 oauth server?
- MarvinCirrocumulus
it seems they already addressed this issue
Bug alias 679219 [OAuth AS] [RFE] Support revocation of JWT refresh token
- MarvinCirrocumulus
- For JWT Access Token Lifetime, type a number.
- This specifies the number of minutes a JWT access token is considered valid. In specifying this lifetime, consider that JWT access tokens cannot be revoked.
- For JWT Generate Refresh Token, select Enabled so the OAuth authorization server generates a refresh token in addition to the access token for authorization code and resource owner credential grants.
- For JWT Refresh Token Lifetime, type a number.
- This specifies the number of minutes a refresh token is considered valid. In specifying this lifetime, consider that JWT refresh tokens cannot be revoked.
- MarvinCirrocumulus
https://techdocs.f5.com/kb/en-us/products/big-iq-centralized-mgmt/manuals/product/bigiq-central-mgmt-access-5-4-0/6.html
- Dave_WEmployee
Hello Marvin, the Token Revocation Endpoint is not supported with JWT tokens, only with Opaque tokens. As far as I can tell from doing some searching on JWT it appears the short answer is you can not revoke them.
- MarvinCirrocumulus
Hi Dave, I found the reference and indeed not supported, I have to see if this is acceptable from security point of view. Thanks for the heads up!
- MarvinCirrocumulus
Hi Dave, thanks for your answer i dont understand why it shouldnt support this, so you are basically saying that I need an RFE to support this within F5 APM oauth?
For security tt is required to invalidate the JWT access token when a user logs out, because if someone steals the refresh token it could be used to retrieve and access token, but I guess you got my point.
Do you have any reference material that indicates this how are you so sure?
Furthermore do you know how to invalidate opaque tokens how a revocation request should be crafted and send to F5 oauth server, I could give it a try.
Thanks for the help
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com