Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to revoke an Access Token with PingFederate

Is there any endpoint on PingFederate (version 7.1.3.1), that we can use to revoke an OAuth Access Token?

like image 205
Freelander Avatar asked Sep 02 '14 08:09

Freelander


1 Answers

There are features in PingFederate 7.2 (and up) that enable this. See: https://support.pingidentity.com/s/document-item?bundleId=pingfederate-93&topicId=wmo1564003025254.html (support for RFC 7009 - requires presenting the existing Access Token or Refresh Token)

and: https://support.pingidentity.com/s/document-item?bundleId=pingfederate-93&topicId=rlc1564003026400.html (API for revoking "persistent grants" which may impact previous issued Access Tokens, depending on configuration)

You're probably already aware, but there's also an end user facing grants management page that's been in the product since the original OAuth functionality. See: https://support.pingidentity.com/s/document-item?bundleId=pingfederate-93&topicId=yjb1564003025319.html

If your access tokens are set up as reference based tokens, then validation (via the introspection endpoint) will show that they're no longer valid if the backing persistent grant (usually meaning a refresh token) is revoked. If you are using JSON Web Token (JWT) formatted access tokens, and you want revoked persistent grants to impact them then ensure that the Access Grant GUID is included in them (see Access Grant GUID Claim Name here) and that you're doing the token endpoint based validation (not just locally validating a signature on the JWT in your RS).

like image 182
Scott T. Avatar answered Oct 01 '22 17:10

Scott T.