cancel
Showing results for 
Search instead for 
Did you mean: 

F5 oauth server refresh token revocation

Marvin
Cirrostratus
Cirrostratus

Dear All,

 

I am working on a F5 as the oauth server provider which provides JWT access tokens for oauth clients, everything works fine but now we want to know how to revoke the access / refresh tokens on the F5 oauth server.

 

The endpoint is /f5-oauth2/v1/revoke in the payload post data we set the following parameters.

 

client_id=we put the value here

client_secret=we put the value here

grant_type=refresh_token

token_content_type=jwt

refresh_token=we put the value here

We receive the response below:

 

 "error": "invalid_request",

  "error_description": "Required parameter (access_token or refresh_token) is missing"

}

 

Someone an idea how to modify the request to allow revocation to occur on the F5 oauth server?

6 REPLIES 6

Dave_W
F5 Employee
F5 Employee

​Hello Marvin, the Token Revocation Endpoint is not supported with JWT tokens, only with Opaque tokens. As far as I can tell from doing some searching on JWT it appears the short answer is you can not revoke them.

Hi Dave, thanks for your answer i dont understand why it shouldnt support this, so you are basically saying that I need an RFE to support this within F5 APM oauth?

For security​ tt is required to invalidate the JWT access token when a user logs out, because if someone steals the refresh token it could be used to retrieve and access token, but I guess you got my point.

Do you have any reference material that indicates this how are you so sure?

Furthermore do you know how to invalidate opaque tokens how a revocation request should be crafted and send to F5 oauth server, I could give it a try.

Thanks for the help

Hi Dave, I found the reference and indeed not supported, I have to see if this is acceptable from security point of view. Thanks for the heads up!​

Marvin
Cirrostratus
Cirrostratus

https://techdocs.f5.com/kb/en-us/products/big-iq-centralized-mgmt/manuals/product/bigiq-central-mgmt-access-5-4-0/6.html

Marvin
Cirrostratus
Cirrostratus
  1. For JWT Access Token Lifetime, type a number.
  2. This specifies the number of minutes a JWT access token is considered valid. In specifying this lifetime, consider that JWT access tokens cannot be revoked.
  3. For JWT Generate Refresh Token, select Enabled so the OAuth authorization server generates a refresh token in addition to the access token for authorization code and resource owner credential grants.
  4. For JWT Refresh Token Lifetime, type a number.
  5. This specifies the number of minutes a refresh token is considered valid. In specifying this lifetime, consider that JWT refresh tokens cannot be revoked.

 

Marvin
Cirrostratus
Cirrostratus

it seems they already addressed this issue

 

Bug alias 679219 [OAuth AS] [RFE] Support revocation of JWT refresh token