Why should you revoke access token?

Question

I don't understand why should you revoke Access Token when your log out. I mean what should you gain from a security perspective, while there is a Refresh token which is used to get a new access token as soos as you browse to the application? I don't see the profit from a security perspective when there is a Refresh token which can be used by whoever uses the computer and browse to the application.

Answer 1

When a user logs out from an OAuth2-based session, they might want to make sure that every application on the same machine can no longer do things on a users' behalf.

For example, perhaps your organization has a single-sign on system that spans several applications, some even third party. When the user logs out, you can't rely on applications to 'log themselves out'. Perhaps all they got is a a session cookie, sitting in a browsers' cookie jar waiting for the next request.

If I log out on a machine, I want the guarantee that nothing can still act on my behalf, not even for a minute.

Answer 2

Whilst the concept of OAuth 2.0 is based on short lived access tokens that are not revoked, there are exceptions to that rule and there's a protocol specification catering for token revocation, RFC 7009 OAuth 2.0 Token Revocation https://datatracker.ietf.org/doc/html/rfc7009.

When revoking the access token, one should also make sure to revoke the refresh token at the same time (the spec dictates that revoking a refresh token will also revoke associated access tokens). This becomes more important when tokens are long lived and there's a suspicion of some breach, unauthorised 3rd-party token access or other token leakage.

Answer 3

I don't understand why should you revoke Access Token when your log out.

Access tokens cant be revoked. They are used for Authorization, and grant the bearer of the access token access to the data for as long as the token has not expired.

Logging out is Authentication these are two very different concepts.

I mean what should you gain from a security perspective, while there is a Refresh token which is used to get a new access token as soon as you browse to the application?

You are again mixing Authorization (OAuth 2.0 access token refresh token) with authentication(open id connect, logging in a user).

Using OAuth 2.0 an application is granted authorization to access a users data they are granted an access token and a refresh token. The application can access the users data when ever it needs to without the user being present.

I don't see the profit from a security perspective when there is a Refresh token which can be used by whoever uses the computer and browse to the application.

This is the exact point of OAuth 2.0 it is there to grant an application access to a users data when the user is not present. It is not authentication.