UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Knowledge Partner Knowledge Partner
Knowledge Partner
784 views

OAuth revoking refresh token

Jump to solution

Hi!

 

I'm searching through documentation and I cannot find suitable answer. I might have missed it, so please help 😊

We would like to revoke ALL refresh tokens issued to a specific user (for example if user is compromised).

I know I can call revoke endpoint to revoke existing refresh token, but only if I know value of this refresh token (https://www.netiq.com/documentation/access-manager-45-developer-documentation/administration-rest-api-guide/data/revoking-token.html). As far as I understood this API is used when client application wants to revoke refresh token (e.g. when end user logs out)

But as I said, we would like to revoke ALL refresh tokens issued to specific user. And of course since revoking will not be done by client application (but by some admin process), we don't know specific refresh token values.

 

Kind regards,

Sebastijan

 

But to trigger that I would nee to know refresh token

 

0 Likes
1 Solution

Accepted Solutions
Micro Focus Expert
Micro Focus Expert

i dont think there is such an option for Admin to revoke all the token issued for a specific user. You can workaround it by manipulating the nidsOAuthGrant Attribute.


<IssuedTokens>
<Token type="REFRESH" creationTimestamp="1589568772179" expiresAt="1589655172179" displayName="137.65.222.49" tokenID="fe74620f-3a5c-4c16-8ab6-0395755e3265"/>
<Token type="REFRESH" creationTimestamp="1589568957758" expiresAt="1589655357758" displayName="137.65.222.49" tokenID="09dca72e-ab96-4c98-93b1-53530c50b9c6"/>
</IssuedTokens>

check for the TAG <IssuedTokens></IssuedTokens> and remove all the entries.

View solution in original post

6 Replies
Micro Focus Expert
Micro Focus Expert

i dont think there is such an option for Admin to revoke all the token issued for a specific user. You can workaround it by manipulating the nidsOAuthGrant Attribute.


<IssuedTokens>
<Token type="REFRESH" creationTimestamp="1589568772179" expiresAt="1589655172179" displayName="137.65.222.49" tokenID="fe74620f-3a5c-4c16-8ab6-0395755e3265"/>
<Token type="REFRESH" creationTimestamp="1589568957758" expiresAt="1589655357758" displayName="137.65.222.49" tokenID="09dca72e-ab96-4c98-93b1-53530c50b9c6"/>
</IssuedTokens>

check for the TAG <IssuedTokens></IssuedTokens> and remove all the entries.

View solution in original post

Knowledge Partner Knowledge Partner
Knowledge Partner

Thanks for info regarding nidsOAuthGrant.

I was using that attribute to overcome consent bug with silent openid connect authentication (I thing it was bug #1140839, but now it is fixed). I simply used IDM to monitor that attribute and add required <grant> elements if missing.

In your example, I see that displayName is IP address. Looking at my users I can see that displayName is either displayName="UNKNOWN:DOWNLOAD" or displayName="WINDOWS_10:EDGE".

Do you know where NAM get's displayName value?

 

Kind regards,

Sebastijan

Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Hi Sebastijan,

NAM uses the User-Agent request header for the displayName.

Regards,
Sangeetha

Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

This can be revoked globally through the following request format

curl -v -k -H 'Content-Type: application/x-www-form-urlencoded' -X POST -d 'userstore_name=remote-edir&user_dn=cn%3Dvneeraj%2Co%3Dnovell' https://www.idp.com:8443/nidp/oauth/nam/revoke/<Device_ID>

 

Where:

User_dn= user_dn values

User_store= <name of the authenticated user store>

Endpoint = Revoke token Endpoint with <Device ID value>

Knowledge Partner Knowledge Partner
Knowledge Partner

>Endpoint = Revoke token Endpoint with <Device ID value>

But what is device-id? If I understand correctly, this is not client-id, but something that must be defined in token request?

This is from documentation:

Revoking Token Issued to a Device

When Mobile Access SDK is not used for on-boarding and off-boarding devices, the token can be manually associated with a device. This can be done by providing additional parameter device_id while requesting for an access token. Such manually associated tokens can be revoked by using the revocation endpoint.

The URL to revoke tokens that are issued to a device is:

https://idpbaseurl.com/nidp/oauth/nam/revoke/<device_id>

So if there are standard OAuth clients which do not send device-id in token request (optional parameter), we cannot revoke those refresh tokens, right?

 

Kind regards,

Sebastijan

Micro Focus Frequent Contributor
Micro Focus Frequent Contributor
yes, that is right. As of now that is how token can be revoked globally.
This could be an enhancement to support globally without device id.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.