OPRevocation

Owned by Scott Cantor
Last updated: Oct 16, 2024 by Henri Mikkonen
1 min read

File(s): conf/relying-party.xml, conf/oidc.properties
Format: Native Spring, Spring Properties

Overview

The OAuth2.Revocation profile configuration bean enables support for the OAuth2 Token Revocation profile, living at /idp/profile/oauth2/revocation

This implementation requires client authentication and requires that the client_id match either the value in the token or one of the audiences of the token to permit the operation.

Configuration

The most typical options used are described in more detail below, but not every obscure option is discussed. See the javadoc for all of the possible configuration options for this profile (note that some of them are inherited from parent classes).

Virtually all the configuration options below can be set via two different properties: a static property that explicitly sets the value to use and a lookup strategy or predicate property that takes a Function or Predicate and returns the value to use. The dynamic property is generally named "propertyNamePredicate" or "propertyNameLookupStrategy" for Boolean- and non-Boolean-valued properties respectively.

The use of DPoP proofs in the revocation endpoint is not required by default. The default behaviour may be changed via requireDpopProof -option.

Options specific to this profile are:

Name

Type

Default

Description

Name

Type

Default

Description

revocationMethod

CHAIN or TOKEN

CHAIN

The revocation method:

  • CHAIN refers to revoking the entire chain of tokens (the authorization code and all access/refresh tokens issued based on it)

  • TOKEN refers to revoking a single token

revocationLifetime

Duration

PT6H

The revocation lifetime used when revoking the full chain (see CHAIN above).

For convenience, revocationMethod is globally controllable via the idp.oauth2.revocationMethod property and revocationLifetime via the idp.oidc.revocationCache.authorizeCode.lifetime property. If a single token is to be revoked, the lifetime is taken from the remaining lifetime of the token to be revoked. It’s calculated by comparing the expiration time of the token to the current instant. See OPToken | Configuration for the configuration of lifetimes for access and refresh tokens.

Â