Access tokens are sent to the front-end application in order to access data on the back end. Therefore, they are subject to the same policies, as session. They need to terminate after some inactivity and have a maximum lifetime. When a user logs off explicitly, all associated tokens need to be revoked.

Right now, credential management page, which uses access token to call AuthHub API has to be modified.

Unable to revoke an access token - response is the token type is not supported.

Successful call to revocation API for refresh token, however the call seems to be ignored:

• Revocation can be invoked multiple times, each time successful.
• After revocation, able to use the refresh token to get new access tokens via refresh_token grant. Waited up to 10
• seconds, between revocation and refresh.
• When a put a garbage token, the result is still "success".

Ideally:

• revoking the refresh token should invalidate all the access tokens.
• access tokens should be opaque. JWTs can be unpacked. Sending JWTs to the front end raises privacy concerns and shows up during application security scans when they try to use ID tokens as session.
• Token inactivity is a nice to have feature, we currently have, which would eliminate the need for refresh token and it will need the revocation of access token.
   

Release : 12.8

VIP Authentication Hub - version 1.0.3186

To Revoke an Access Token or Refresh Token these additional parameters need to be set in the Tenant Settings or Global Settings. Once these settings are in place the Token revocation should work fine.

    {
        "name": "trackAccessToken",
        "value": "true"
       
    },
    {
        "name": "trackIdentityToken",
        "value": "true"
        
    }

Note->  Revocation of Refresh Token had issues and upon introspection they still came back as active, so this issue is addressed in Oct.06 release.