Access tokens are sent to the front-end application in order to access data on the back end. Therefore, they are subject to the same policies, as session. They need to terminate after some inactivity and have a maximum lifetime. When a user logs off explicitly, all associated tokens need to be revoked.
Right now, credential management page, which uses access token to call AuthHub API has to be modified.
Unable to revoke an access token - response is the token type is not supported.
Successful call to revocation API for refresh token, however the call seems to be ignored:
Ideally:
Release : 12.8
VIP Authentication Hub - version 1.0.3186
To Revoke an Access Token or Refresh Token these additional parameters need to be set in the Tenant Settings or Global Settings. Once these settings are in place the Token revocation should work fine.
{
"name": "trackAccessToken",
"value": "true"
},
{
"name": "trackIdentityToken",
"value": "true"
}
Note-> Revocation of Refresh Token had issues and upon introspection they still came back as active, so this issue is addressed in Oct.06 release.