Thursday, June 30, 2016

How to revoke access tokens generated by client application on behalf of user - WSO2 API Manager

First let me explain how OAuth 2.0 works in securing APIs in WSO2 API Manager.

01. Application owner, designer will create application by bundling set of APIs and create OAuth application for them.
02. Then they will embed application access token, consumer key and secret within application and release it to client app store.
03. When clients wanted to use application he may provide user credentials(or authentication challenge) and get access token and refresh token.
04. Access token is having limited validity(by default 1 hour) period and it need to renew after that time.
05. And same applied to refresh token as well. So application cannot use access token more than 1 hour without user credentials.
06. After one hour time (again this is configurable and if need you can reduce that time to 5 minutes or so) application will not be able to do anything on behalf of user.

If you consider end user point of view its doesn't matter underlying authentication mechanism for them (its OAuth or any other mechanism). And most of the cases we didn't wanted to revoke them specifically unless client application thinks end user is misusing application.

But in some cases user do not want to app tp proceed with generated tokens by user. In that case user need to revoke tokens by himself.
If user do not trust client application(if device stolen or app seems misbehaving) then he should log into another system(usually authorization server) and ask to revoke access tokens belong to him.

If user is willing to do something like that then we may use identity server dashboard to do that(Please refer attached screen shot of identity server dashboard, where we list applications obtained tokens on behalf of user).

If you remove application from authorized apps then all tokens obtained by app will be revoked. Users can login to user profile and see application which generated tokens and revoke them if need.

Please note that you need to install API Management features on top of identity server to make this enable. Or we can direct users to web app(which is implemented using soap services to revoke tokens) where they can list active access tokens and revoke them.

And if you believe client application misuse refresh token and generate token again and again on behalf of user we may completely disable refresh token grant handler(configuration available in identity.xm configuration file). Or we can reduce refresh token validity period. With that i believe we can solve issues due to misusing refresh token. Please see below screenshot where you can disable refresh grant per app. Else disable it completely from server level.

No comments:

Post a Comment