JamesN.13590 (Bish's RV) asked a question.
OAuth2 token revocation request
Greetings. I have a React front-end app that calls the following code from the SDK to log out. When I look at the Okta System Log, I see 2 OAuth2 token revocation requests. One is for the refresh token we have implemented in our architecture. The 1st revocation token request (Refresh Token) is marked as SUCCESS. However, the 2nd revocation request (for the main token) fails. I have included both those log statements at the bottom of this message. Can anyone tell me if this is expected or is our process flawed?
oktaAuth.signOut();
FAILURE: invalid_token
Hi @JamesN.13590 (Bish's RV) , Thank you for reaching out to the Okta Community!
Please check the following posts to see if they help with your use case:
https://devforum.okta.com/t/unable-to-get-revoke-to-work
https://devforum.okta.com/t/revoke-endpoint
https://devforum.okta.com/t/okta-token-still-active-even-although-signed-out-or-revoked
My advice would be to reach out to the dedicated Developer Forum devforum.okta.com to take advantage of their expertise.
While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products and features (non-developer work).
If my answers helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--------------------------------
Coming soon: Get tips from community managers during Okta Community's first Ask Me Anything event on 6/22
Hi @JamesN.13590 (Bish's RV),
I know this is an old post, but while I was investigating similar issue and saw this post I can confirm that what you're seeing is correct behavior. If you revoke the refresh token and send another request with the same token it'll fail with the invalid_token since it is not there any longer (and there's no "main token" at all).
-Jani