Previous token is revoked when token endpoint is called even before token expiry

Question

Called API manager token endpoint from a application. Got the token and invoked the API. Next time token call before token 1 is expired, revoked the token 1 and generated a new token. Shouldn't it send the token 1 without a new token?

2nd token call revoked the 1st token and generated a new token. Even if it generated a new token, token 1 should be active because token was not expired.

Lakshitha · Accepted Answer · 2023-01-30T14:19:23.160

1

This is the design of the JWT tokens and at a given time, there will always be one active token for a given client ID secret pair.

That's why whenever you request a new token, token 1 was revoked. If you used opaque token, this is different and the same token will be sent during the lifetime of that token irrespective of the number of token calls.

This difference between JWT and opaque is as JWT tokens are large in size (with additional claims), only the JTI value is persisted in the database compared to opaque tokens where the entire token persisted. Because of this, KM cannot generate the same JWT twice and that's why the KM does not send the same token even though the previous token was valid. This issue was not present with the opaque tokens.

Edit:

You can achieve this same client ID secret with multiple tokens use case by using device scopes (Or any other scopes). The difference is,

If scopes and clientID secret are the same in both token calls, 1st token will be revoked with the 2nd call.
If the scopes are different, without revoking the 1st token, 2nd token will be generated with different scopes.

edited Jan 30 '23 at 14:19

answered Jan 24 '23 at 16:17

Lakshitha

1,021
1
6
15

how to disable this? – Bilal Ahmed Jan 24 '23 at 16:49
how to create opaque token in 41? – Bilal Ahmed Jan 25 '23 at 04:22
Since this is the design, there is no otherway to disable it. – Lakshitha Jan 26 '23 at 16:18
1

API Manager has discontinued the opaque token in the 4.x series as they reduced the GW to KM calls which is a significant performance gain. If you wanted to create an opaque token application, it will bit tricky. You first need to create a service provider with the opaque type and you can assign application for this type. – Lakshitha Jan 26 '23 at 16:19
Help https://stackoverflow.com/questions/75284429/how-to-create-oauth2-opaquereference-access-tokens – Bilal Ahmed Jan 30 '23 at 12:37

Pubci · Answer 2 · 2023-01-30T12:45:15.837

0

When you are using JWT tokens in API Manager here is the expected behaviour.

If you request a token from the token api, it provides a new token always and won't provide the active token.
Token gets revoked when you request a new token in the latest API Manager 4.1.0.

Update:

You can add the following configuration to the API Manager to disable the token revocation.

[oauth.access_token]
invoke_token_revocation_event_on_renewal = false

edited Jan 30 '23 at 12:45

answered Jan 24 '23 at 04:34

Pubci

3,834
1
13
28

With the latest APIM (APIM 4.1.0), the previous token gets revoked. – Lakshitha Jan 24 '23 at 16:11
@Pubuci it is revoking. I use apimanager 41 – Bilal Ahmed Jan 24 '23 at 16:48
Thanks for the heads up! Looks like the behavior has changed. – Pubci Jan 24 '23 at 17:28
how to disable this? – Bilal Ahmed Jan 26 '23 at 13:03
Help https://stackoverflow.com/questions/75284429/how-to-create-oauth2-opaquereference-access-tokens – Bilal Ahmed Jan 30 '23 at 12:37
Updated both questions – Pubci Jan 30 '23 at 12:45

Previous token is revoked when token endpoint is called even before token expiry

2 Answers2

Linked