API Manager OAuth Token Revoke is Problematic

StackOverflow https://stackoverflow.com/questions/23202178

  •  07-07-2023
  •  | 
  •  

Question

I am using SAML2 Bearer assertion profile to obtain OAuth Tokens form WSO2 API Manager. I have two client applications. In the OAuth Token Revoking process I am using following code,

public static boolean revokeToken(Token token) throws IOException {
    //Create connection to the Token endpoint of API manger
    URL url = new URL(Config.apiMangerOAuthRevokeURL);

    HttpURLConnection connection = (HttpURLConnection) url.openConnection();
    connection.setRequestMethod("POST");
    connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded;charset=UTF-8");

    String userCredentials = Config.apiMangerClientID+":"+ Config.apiMangerClientSecret;
    String basicAuth = "Basic " + new String(Base64.encodeBytes(userCredentials.getBytes()));
    basicAuth = basicAuth.replaceAll("\\r|\\n", "");

    // Set the consumer-key and Consumer-secret
    connection.setRequestProperty("Authorization", basicAuth);
    connection.setUseCaches(false);
    connection.setDoInput(true);
    connection.setDoOutput(true);

    //Send request
    DataOutputStream wr = new DataOutputStream(connection.getOutputStream());
    wr.writeBytes("token="+token.getAccess_token());
    wr.flush();
    wr.close();

    //Get Response
    InputStream iss = connection.getInputStream();
    BufferedReader rd = new BufferedReader(new InputStreamReader(iss));

    String line;
    StringBuffer responseString = new StringBuffer();
    while ((line = rd.readLine()) != null) {
        responseString.append(line);
        responseString.append('\r');
    }

    rd.close();

    System.out.println("Revoking Token Mobile-"+token.getAccess_token());
    System.out.println("Revoking Response Mobile -"+responseString.toString());

    return true
            ;
}

One client application do the revoking process OK. I tried to invoke API using CURL after revoking, it fails as expected. But the other client application which use same above logic to revoke tokens return well. But the token is valid after revoking. I can use CURL to query the API. What has gone wrong here?

Was it helpful?

Solution

API Manager has caching enabled by default and is set to 15 min. Try disabling it.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top