Menu
Is there any endpoint on PingFederate (version 7.1.3.1), that we can use to revoke an OAuth Access Token?
205
There are features in PingFederate 7.2 (and up) that enable this. See: https://support.pingidentity.com/s/document-item?bundleId=pingfederate-93&topicId=wmo1564003025254.html (support for RFC 7009 - requires presenting the existing Access Token or Refresh Token)
and: https://support.pingidentity.com/s/document-item?bundleId=pingfederate-93&topicId=rlc1564003026400.html (API for revoking "persistent grants" which may impact previous issued Access Tokens, depending on configuration)
You're probably already aware, but there's also an end user facing grants management page that's been in the product since the original OAuth functionality. See: https://support.pingidentity.com/s/document-item?bundleId=pingfederate-93&topicId=yjb1564003025319.html
If your access tokens are set up as reference based tokens, then validation (via the introspection endpoint) will show that they're no longer valid if the backing persistent grant (usually meaning a refresh token) is revoked. If you are using JSON Web Token (JWT) formatted access tokens, and you want revoked persistent grants to impact them then ensure that the Access Grant GUID is included in them (see Access Grant GUID Claim Name here) and that you're doing the token endpoint based validation (not just locally validating a signature on the JWT in your RS).
182
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
