<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y000088QfsQSASOkta Classic EngineSingle Sign-OnAnswered2025-08-29T09:00:28.000Z2020-03-26T16:04:16.000Z2023-01-28T07:01:11.000Z

JaskaranK.57666 (Customer) asked a question.

March 26, 2020 at 4:04 PM
/revoke API not working as intended

I am using React + .net core and single page app okta option, i am trying to call revoke on logout so that the access token cannot be used afterwards to call any API's.

 

Okay on calling /revoke API, it gives me a 200 status first step done.

On calling /introspect it gives me active false which is also correct.

But when i try to authenticate my API using the same access token it works fine. why is happening like that? The Access token is not expiring even on calling /revoke API

  • 1 answer
  • 748 views

  • q478i (q478i)

    Once the access token is generated then it expires according to its initial determined life span only.

    Okta will not accept the revoked token however if non-okta apis are being called using revoked token as bearer then it depends on the logic of downstreams. If the logic is to just extract the expiry time and signature validation which will certainly pass. It should have a mechanism to check with Okta if the token is revoked or not (it will add latency as overhead but security will be plus).

     

    Hope this helps.

    Expand Post
This question is closed.
Loading
/revoke API not working as intended