You're viewing Apigee Edge documentation.
Go to the
Apigee X documentation. info
Revoking access and refresh tokens
In some cases, apps are required to explicitly revoke or invalidate tokens, for example, when a user logs out of an OAuth-enabled app. If you revoke a token, it can be re-approved anytime before it expires.
The procedure for token revocation is defined by the OAuth 2.0 Token Revocation specification.
Apigee Edge provides an InvalidateToken operation that enables you to configure a dedicated token revocation endpoint. By publishing the URI of this endpoint, you enable app developers to invalidate tokens issued by Edge.
Here's an example configuration for the OAuthV2 policy and the InvalidateToken operation. In this case, both the access token and its associated refresh token are revoked. Technically, they are both revoked because the cascade flag is set to true. For more information about how the cascade flag works, see the Token element's attributes section below.
<OAuthV2 name="InvalidateToken">
<Operation>InvalidateToken</Operation>
<Tokens>
<Token type="accesstoken" cascade="true">flow.variable</Token>
</Tokens>
</OAuthV2>
<Tokens>/<Token> element
Identifies the flow variable that specifies the token to be revoked. If developers are
expected to submit a revocation request using a query parameter
named access_token, for example, the correct flow variable will
be: request.queryparam.access_token. To require the token in an HTTP header,
for example, set this value to request.header.access_token.
Attributes
-
type(required, string): The token type identified by the variable specified. Supported values areaccesstokenandrefreshtoken:- To revoke an access token, specify type accesstoken.
- To revoke both the access and refresh tokens, specify type refreshtoken. When it sees
type refreshtoken, Edge assumes the token is a refresh token. If that refresh token is
found, then it is revoked. If that refresh token is not found, then Edge checks to
see if it is an access token. If the access token exists, then it is revoked.
Note: If you pass an already invalidated token to an InvalidateToken policy, the policy doesn't return an error, although you might expect it to. Such an operation has no effect.
-
cascade(optional, boolean, default: true) The primary use of this attribute is to revoke a refresh token without revoking its associated access token. Consider these cases:- Revoke a refresh token only and do not revoke its associated access token. To do this,
set the <Token> type to
refreshtokenand set cascade tofalse. - Revoke both the access token and the refresh token. To do this, set the <Token>
type to
accesstoken. The value of cascade can be eithertrue(the default) orfalse. If you set it totrue, then both the access token and the refresh token are revoked. If you set it tofalse, the access token is revoked, and the refresh token is unusable. See the Note below for more explanation. - Revoke an access token and do not revoke its associated refresh token. Not supported. See the Note below for more explanation.
- Revoke a refresh token only and do not revoke its associated access token. To do this,
set the <Token> type to
Note: For security reasons, if you revoke an
access token, the associated refresh token will be revoked also. Therefore, you cannot use
the cascade attribute to revoke only an access token. For example, if you set the <Token>
type to accesstoken, and set cascade=false, the access token is revoked
(as expected); however, the associated refresh token is unusable. It cannot be used to refresh
the revoked access token. The primary use case for the cascade attribute is when you want to only
revoke a refresh token. In that case, set the <Token> type to refreshtoken,
and set cascade=false. The refresh token will be revoked, but its associated access
token will remain valid (until it expires or is revoked). For more information, see this
Community forum discussion.
Approving access and refresh tokens
Use the ValidateToken operation to "re-approve" a revoked token. That is, when you apply this operation, the status of the targeted access or refresh token is changed from 'revoked' to 'approved'. You can validate any revoked token that has not already expired.
<OAuthV2 name="ValidateToken">
<Operation>ValidateToken</Operation>
<Tokens>
<Token type="refreshtoken" cascade="true">flow.variable</Token>
</Tokens>
</OAuthV2>
<Tokens>/<Token> element
Identifies the flow variable that specifies the token to be validated. If developers are
expected to submit a validation request using a query parameter
named access_token, for example, the correct flow variable will
be: request.queryparam.access_token. To require the token in an HTTP header,
for example, set this value to request.header.access_token.
Attributes
type(required, string) The token type identified by the variable specified. Supported values areaccesstokenandrefreshtoken.cascade(optional, boolean): By default, this option is set totrue, and causes the validation to propagate to associated tokens. So, if applied to a refresh token, its associated access token is also validated. If applied to an access token, its associated refresh token is also validated. If you set this tofalse, then only the specified access or refresh token is validated.