invalid_request error using revocation endpoint for OIDC configuration
search cancel

invalid_request error using revocation endpoint for OIDC configuration

book

Article ID: 226857

calendar_today

Updated On: 01-27-2025

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Federation (SiteMinder)

Issue/Introduction

HTTP GET request is made to https://<AG Server>.example.com/affwebservices/CASSO/oidc/sample_client/revoke

The response is:
{"error": "invalid_request","error_description":"GET request is not allowed."}

Environment

Broadcom Access Gateway 12.8 ANY

Cause

The OIDC standard stipulates:
https://datatracker.ietf.org/doc/html/rfc7009

"The client requests the revocation of a particular token by making an
 HTTP POST request to the token revocation endpoint URL.  This URL
 MUST conform to the rules given in [RFC6749], Section 3.1.  Clients
 MUST verify that the URL is an HTTPS URL."

Using POST for passing the input parameter to revocation endpoint is more secure.

Broadcom SiteMinder and many other vendors only support HTTP POST to the revocation endpoint url.

SiteMinder documentation has examples for this.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/use-siteminder-as-openid-connect-provider/authentication-using-authorization-code-flow.html#concept.dita_00b756e30ce1599f89d9e9fb3e45f0491a4234e4_RevocationTokenEndpoint

 

Resolution

The solution is asking the application owner to send a HTTP POST request to revocation endpoint url instead of a GET.

Additional Information

https://datatracker.ietf.org/doc/html/rfc7009

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/use-siteminder-as-openid-connect-provider/authentication-using-authorization-code-flow.html#concept.dita_00b756e30ce1599f89d9e9fb3e45f0491a4234e4_RevocationTokenEndpoint