Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

F5 oauth server refresh token revocation

Marvin
Cirrocumulus
Cirrocumulus

‎13-May-2020 12:28

Dear All,

 

I am working on a F5 as the oauth server provider which provides JWT access tokens for oauth clients, everything works fine but now we want to know how to revoke the access / refresh tokens on the F5 oauth server.

 

The endpoint is /f5-oauth2/v1/revoke in the payload post data we set the following parameters.

 

client_id=we put the value here

client_secret=we put the value here

grant_type=refresh_token

token_content_type=jwt

refresh_token=we put the value here

We receive the response below:

 

 "error": "invalid_request",

  "error_description": "Required parameter (access_token or refresh_token) is missing"

}

 

Someone an idea how to modify the request to allow revocation to occur on the F5 oauth server?

Labels:
0 Kudos
6 REPLIES 6

Dave_W
F5 Employee
F5 Employee

‎14-May-2020 10:52

​Hello Marvin, the Token Revocation Endpoint is not supported with JWT tokens, only with Opaque tokens. As far as I can tell from doing some searching on JWT it appears the short answer is you can not revoke them.

0 Kudos

Marvin
Cirrocumulus
Cirrocumulus
In response to Dave_W

‎14-May-2020 13:24

Hi Dave, thanks for your answer i dont understand why it shouldnt support this, so you are basically saying that I need an RFE to support this within F5 APM oauth?

For security​ tt is required to invalidate the JWT access token when a user logs out, because if someone steals the refresh token it could be used to retrieve and access token, but I guess you got my point.

Do you have any reference material that indicates this how are you so sure?

Furthermore do you know how to invalidate opaque tokens how a revocation request should be crafted and send to F5 oauth server, I could give it a try.

Thanks for the help

0 Kudos

Marvin
Cirrocumulus
Cirrocumulus
In response to Dave_W

‎14-May-2020 16:33

Hi Dave, I found the reference and indeed not supported, I have to see if this is acceptable from security point of view. Thanks for the heads up!​

0 Kudos

Marvin
Cirrocumulus
Cirrocumulus

‎14-May-2020 16:31

https://techdocs.f5.com/kb/en-us/products/big-iq-centralized-mgmt/manuals/product/bigiq-central-mgmt-access-5-4-0/6.html

0 Kudos

Marvin
Cirrocumulus
Cirrocumulus

‎14-May-2020 16:32

  1. For JWT Access Token Lifetime, type a number.
  2. This specifies the number of minutes a JWT access token is considered valid. In specifying this lifetime, consider that JWT access tokens cannot be revoked.
  3. For JWT Generate Refresh Token, select Enabled so the OAuth authorization server generates a refresh token in addition to the access token for authorization code and resource owner credential grants.
  4. For JWT Refresh Token Lifetime, type a number.
  5. This specifies the number of minutes a refresh token is considered valid. In specifying this lifetime, consider that JWT refresh tokens cannot be revoked.

 

0 Kudos

Marvin
Cirrocumulus
Cirrocumulus

‎15-May-2020 06:18

it seems they already addressed this issue

 

Bug alias 679219 [OAuth AS] [RFE] Support revocation of JWT refresh token

0 Kudos
Copyright © 2023 Khoros, LLC