Unable to revoke tokens when Multiple Active Access Tokens are enabled #3472

charithjayasanka · 2024-12-17T11:06:33Z

Description

Unable to revoke tokens when Multiple Active Access Tokens are enabled as described in [1].

Expected behavior:
The token binding validation should succeed, and the userinfo API (or any other API) should function correctly. A separate token binder should be implemented if there is a valid requirement to validate the request binding type.

https://apim.docs.wso2.com/en/3.2.0/learn/api-security/oauth2/multiple-active-access-tokens/#jwt

Steps to Reproduce

How to reproduce:

Add the configuration below.

[oauth.jwt.renew_token_without_revoking_existing]
enable = true
allowed_grant_types = ["client_credentials", "authorization_code"]

Enable "Validate token binding" on the service provider configurations.
Obtain an access token using authorization_code grant type and invoke userinfo endpoint using the obtained access token.
It will return the following error.

{
    "error_description": "Valid token binding value not present in the request.",
    "error": "invalid_request"
}

Version

3.2.1

Environment Details (with versions)

No response

The text was updated successfully, but these errors were encountered:

charithjayasanka added the Type/Bug label Dec 17, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unable to revoke tokens when Multiple Active Access Tokens are enabled #3472

Unable to revoke tokens when Multiple Active Access Tokens are enabled #3472

charithjayasanka commented Dec 17, 2024

Unable to revoke tokens when Multiple Active Access Tokens are enabled #3472

Unable to revoke tokens when Multiple Active Access Tokens are enabled #3472

Comments

charithjayasanka commented Dec 17, 2024

Description

Steps to Reproduce

Version

Environment Details (with versions)