CODEWITHSUNDEEP
wso2wso2-identity-server
andunslg
andunslg

Reputation: 791

API Manager OAuth Token Revoke is Problematic

I am using SAML2 Bearer assertion profile to obtain OAuth Tokens form WSO2 API Manager. I have two client applications. In the OAuth Token Revoking process I am using following code,

public static boolean revokeToken(Token token) throws IOException {
    //Create connection to the Token endpoint of API manger
    URL url = new URL(Config.apiMangerOAuthRevokeURL);

    HttpURLConnection connection = (HttpURLConnection) url.openConnection();
    connection.setRequestMethod("POST");
    connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded;charset=UTF-8");

    String userCredentials = Config.apiMangerClientID+":"+ Config.apiMangerClientSecret;
    String basicAuth = "Basic " + new String(Base64.encodeBytes(userCredentials.getBytes()));
    basicAuth = basicAuth.replaceAll("\\r|\\n", "");

    // Set the consumer-key and Consumer-secret
    connection.setRequestProperty("Authorization", basicAuth);
    connection.setUseCaches(false);
    connection.setDoInput(true);
    connection.setDoOutput(true);

    //Send request
    DataOutputStream wr = new DataOutputStream(connection.getOutputStream());
    wr.writeBytes("token="+token.getAccess_token());
    wr.flush();
    wr.close();

    //Get Response
    InputStream iss = connection.getInputStream();
    BufferedReader rd = new BufferedReader(new InputStreamReader(iss));

    String line;
    StringBuffer responseString = new StringBuffer();
    while ((line = rd.readLine()) != null) {
        responseString.append(line);
        responseString.append('\r');
    }

    rd.close();

    System.out.println("Revoking Token Mobile-"+token.getAccess_token());
    System.out.println("Revoking Response Mobile -"+responseString.toString());

    return true
            ;
}

One client application do the revoking process OK. I tried to invoke API using CURL after revoking, it fails as expected. But the other client application which use same above logic to revoke tokens return well. But the token is valid after revoking. I can use CURL to query the API. What has gone wrong here?

Upvotes: 0

Views: 489

Answers (1)

user1664338
user1664338

Reputation: 262

API Manager has caching enabled by default and is set to 15 min. Try disabling it.

Upvotes: 1

Related Questions