Search code examples
authenticationoracle-rest-data-services

How to revoke an accesstoken?


I'm developing a login with Angular exposing my database functions via ORDS. At the moment I generate an accessToken to display my database views exposed via web API, and I use the following cmd command:

curl -i -k --user <client_id>:<client_secret> --data "grant_type=client_credentials" http://mydomain/ords/myuser/oauth/token 

Can someone suggest me a cmd line that allows me to revoke the created token?

I tried using the following cmd:

curl -k -v -d "token=<myToken>" -H "Authorization: Basic <base64 string>" -H "Content-Type: application/x-www-form-urlencoded" http://mydomain/ords/myuser/oauth/token/revoke

but it always gives me back:

{
    "code": "MethodNotAllowed",
    "message": "Method Not Allowed",
    "type": "tag:oracle.com,2020:error/MethodNotAllowed",
    "instance": "tag:oracle.com,2020:ecid/nuwMG_FM5KkwLETSjIA3cQ"
}*


Solution

  • Simple answer is that you cannot revoke a specific AccessToken since it's a self sustained signed document (like a JWT). It's like if you have issued a passport, every border control will not double check its validity with you.

    What you can do is:

    • You can kindly ask the client to discard the Access Token. But there is no guarantee and the Access Token is not revoked as such. This is normally done when a client logs out. (Please destroy your passport.)

    • You can revoke ALL your Access Tokens by changing your signing key pair. This will however log out all your clients. (This type of passport is no longer valid at all.)

    • You can blacklist a specific Access Token (by for example a specific value in the sub field of a JWT, like a specific user) if you have control over the API Gateway that verifies incoming requests (with Access Tokens). You would need to manually have some code that compares incoming Access Tokens with a Deny-List. (This only works if you can contact all border controls.)

    • You can set a short TTL on your Access Tokens (the exp field of a JWT`) and instead of revoking an Access token, just not renew it once it's expires. If you have short enough expiry time (like some minutes) the damage of not being able to immediately revoke it may be limited. (A short expiry date on the passport will give you more administration with renewals, but also some "revoke" capabilities.)