I am working on a F5 as the oauth server provider which provides JWT access tokens for oauth clients, everything works fine but now we want to know how to revoke the access / refresh tokens on the F5 oauth server.
The endpoint is /f5-oauth2/v1/revoke in the payload post data we set the following parameters.
client_id=we put the value here
client_secret=we put the value here
refresh_token=we put the value here
We receive the response below:
"error_description": "Required parameter (access_token or refresh_token) is missing"
Someone an idea how to modify the request to allow revocation to occur on the F5 oauth server?
Hello Marvin, the Token Revocation Endpoint is not supported with JWT tokens, only with Opaque tokens. As far as I can tell from doing some searching on JWT it appears the short answer is you can not revoke them.
Hi Dave, thanks for your answer i dont understand why it shouldnt support this, so you are basically saying that I need an RFE to support this within F5 APM oauth?
For security tt is required to invalidate the JWT access token when a user logs out, because if someone steals the refresh token it could be used to retrieve and access token, but I guess you got my point.
Do you have any reference material that indicates this how are you so sure?
Furthermore do you know how to invalidate opaque tokens how a revocation request should be crafted and send to F5 oauth server, I could give it a try.
Thanks for the help