Friday, November 20, 2015

Revoke OAuth Access Token from Soap Endpoint

In Wso2 Identity Provider when you need to revoke an OAuth token endpoint, there are two options that you could follow.

1. Rest endpoint
2. Soap endpoint

Rest endpoint is detailed and explained in  However if you need to revoke the token based on the resource owner, then you could go for Soap endpoint revoke operation. A good explanation on these differences can be found in

These are the steps to follow in order to try out this soap endpoint. For this example I have used IS 5.0. + Service Pack 1.

The operation we are going to invoke is admin service, OAuthAdminService's  operation revokeAuthzForAppsByResourceOwner. Therefore make sure that you set <HideAdminWsdl> to false in <IS_HOME>/repository/conf/carbon.xml.

1. Create a new Service Provider (RWM) through management console and enable OAuth.
2. Note down the Client key and client secret values of the new SP. (under OAuth section)
2. Make the grant type password.
3. Create a new user (user1) and provide login permission for the user.( through internal role)
4. Use below curl command and invoke an access token for the newly created user 'user1'.

Here the format would be,

curl -v -k -X POST --user clientKey:clientSecret -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -d 'grant_type=password&username=user1&password=test123' https://localhost:9443/oauth2/token

For this example I have used,
curl -v -k -X POST --user mlwL69uKnERmOwDnygn2kwAgVJca:vhW8WZ1qSHsAX6RZH7YQ7QvxVwwa -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -d 'grant_type=password&username=user1&password=test123' https://localhost:9443/oauth2/token

5. Once you invoke this, you should get a json response with the access token and refresh token values.

6. You could check if this user1 gained authorization for the SP RWM, by accessing
 https://localhost:9443/dashboard/  as 'user1' and go to autorized apps - > view details. If previous invoke was successful, you should see that RWM app listed under this page.

7. Now in order to revoke create a soapui project with https://localhost:9443/services/OAuthAdminService?wsdl and send a request to
revokeAuthzForAppsByResourceOwner operation like below.

Make sure to enable 'authenticate pre-emptively option ,else you would get an illegal login attempt error, and the token will not be revoked. Also the basic:auth credentials should be the user credentials that you used to invoke the the token in the first place. 

8. Now if you go to admin dashboard and view authorize apps, you should not be able to see the previous RWM listed. You can further clarify that the token got revoked, by invoking another token for the same user, and see if it is a new value given.


No comments:

Post a Comment