Skip to content

Commit

Permalink
doc: clarify token revocation (some edits)
Browse files Browse the repository at this point in the history
[#177045463]

Co-authored-by: Peter Chen <[email protected]>
  • Loading branch information
bruce-ricard and peterhaochen47 committed Mar 1, 2024
1 parent e44dda4 commit e072ab3
Showing 1 changed file with 11 additions and 8 deletions.
19 changes: 11 additions & 8 deletions uaa/slateCustomizations/source/index.html.md.erb
Original file line number Diff line number Diff line change
Expand Up @@ -378,14 +378,17 @@ _Response Fields_
Added in UAA 3.3.0
</aside>

When an access token is revoked using this endpoint, the UAA Introspect Token endpoint (``/introspect``)
will respond with ``"active": false`` when presented with the revoked access token.
Both access and refresh tokens can be passed to the ``/revoke`` endpoint.

When an access token is successfully passed to the ``/revoke`` endpoint, and then when the same token is
passed to the UAA Introspect Token endpoint (``/introspect``), the UAA Introspect Token endpoint
will respond with ``"active": false``.

If the access token is in the JWT format (as opposed to the opaque format), the server config ``uaa.jwt.revocable`` or
the Identity Zone config ``config.tokenPolicy.jwtRevocable`` must be set to ``true`` for
this feature to work. However, OAuth resource servers are generally not required to call the UAA Introspect
Token endpoint to validate the status of the token. Once issued, a valid access token
in the JWT format is generally considered valid until its expiry. Hence, we do not recommend
the revocation to work. However, OAuth resource servers are not required to call the UAA Introspect
Token endpoint to validate the token. Once issued, from a security point of view, a valid access token
in the JWT format should be considered valid until its expiry. Hence, we do not recommend
relying on this endpoint to revoke access tokens in the JWT format. If the ability
to remove/limit access after the tokens are issued is important to you, we recommend the following instead:

Expand All @@ -395,11 +398,11 @@ the UAA Introspect Token endpoint to validate that the tokens have not been revo
(e.g. a few minutes), and when needed, revoke the more long-lived refresh tokens so that they
may no longer be used to obtain refreshed access tokens.

When a refresh token is in the opaque format and revoked using this endpoint, the refresh token
will no longer be considered valid when used to perform the Refresh Token grant.
When a refresh token in the opaque format is successfully passed to the ``/revoke`` endpoint,
the refresh token can no longer be used to perform the Refresh Token grant.
When a refresh token is in the JWT format, the server config ``uaa.jwt.revocable`` or
the Identity Zone config ``config.tokenPolicy.jwtRevocable`` must be set to ``true`` for
this feature to work.
the "Revoke a single token" endpoint (``/oauth/token/revoke/{tokenId}``) to work.

### Revoke all tokens for a user

Expand Down

0 comments on commit e072ab3

Please sign in to comment.