I have the setup where clients are accessing APIs defined through WSO2 API Manager secured by OAuth2 refresh and access tokens. The client gets the tokens using authorization code flow and authentication and authorization is done by 3rd party software.
Access tokens has default expiration time of 3600 seconds (60 minutes) and refresh tokens are without expiration (lasts forever).
Now I have to manage the refresh token revocation by user or admin from 3rd party application. The use case is that user or application admin will remove the authorized access for client which should revoke refresh token in WSO2 API Manager. (not the client logout function only, as the client application can be lost or compromised)
Like if you have a Google account you can remove access to applications using management of your account. (Apps with access to your account)
WSO2 API Manager has revoke API in order to do so where you should send refresh token to revoke. (Token API)
This means that the 3rd party application should also have refresh token in order to revoke it through that API but I understand this as a security flow because only client show have received the refresh token and be able to use it on order to renew access token.
How should be such use case implemented in WSO2 API Manager? How can 3rd party application call API for token revocation without knowing it? What is the correct implementation?
Copyright Notice:Content Author:「user1563721」,Reproduced under the CC 4.0 BY-SA copyright license with a link to the original source and this disclaimer.
Link to original article:https://stackoverflow.com/questions/48967697/wso2-api-manager-refresh-and-access-token-revocation