1

I am using Apereo CAS with supports OAuth2.0 (Link to docs). I am successfully issuing the access token through path: 

[url_cas]/oauth2.0/accessToken?grant_type=password&client_id=[client_id]&username=[user]&password=[password]

How to revoke this access token generated (Application logout)? I didn't find in the documentation any information.

I tried to execute logout with Apereo CAS Rest (Link to docs) through path:

DELETE [url_cas]/v1/tickets/AT-1-g6G2c3PwFrsXoSYlVhrrdLCqjiUQgkMS

And Apereo CAS returns a error:

Ticket [AT-1-g6G2c3PwFrsXoSYlVhrrdLCqjiUQgkMS is of type class org.apereo.cas.ticket.accesstoken.AccessTokenImpl when we were expecting interface org.apereo.cas.ticket.TicketGrantingTicket

Is there any way to perform this operation?

Thanks.

Leonardo Corrêa Braga
  • 25
  • 3

1 Answers1

2

I do not think that capability is available in CAS 5.2.x. It may be possible to see the active sessions using the /status/ssosessions endpoint (once you turn it on and enable secure access to it). Alternatively, you could create your own endpoint to do this securely.

See this link.

Starting with CAS 6.1, there is a dedicated endpoint available for OAUTH tokens, /actuator/oauthTokens, that is modeled as a Spring Boot actuator endpoint. It allows you to manage and control OAuth2 access tokens:

  • A GET operation produces a list of all access/refresh tokens.
  • A DELETE operation will delete the provided access/refresh token provided in form of a parameter selector. (i.e. /{token}).
  • A GET operation produces with a parameter selector of /{token} will list the details of the fetched access/refresh token.

See this link for details.

Misagh Moayyed
  • 4,154
  • 2
  • 15
  • 25
  • Thanks for the answer. I believe that it will be better to create a own endpoint for this operation because otherwhise it would hava to allow users to access the CAS monitoring endpoints. – Leonardo Corrêa Braga Mar 13 '20 at 17:04