APIM v4.1.0 revoke the token when invoking an API

Greetings to everyone! 💐

Recently I have come across a requirement of revoking the access token per API request. Here I will share the steps to achieve the same as it can be one of your requirements as well. For this guide, I will refer to the WSO2 latest API Manager release of 4.1.0 with the latest updates.

🎀 Prerequisites:

WSO2 API Manager v4.1.0 pack — https://wso2.com/api-manager/# with the latest updates(Mediation/Policy handling has been changed from the GA release)

🎀 Configuration:

In <APIM-HOME>/repository/conf/deployment.toml file the following changes need to be done.

1. This is to preserve authorization header in the messages — https://apim.docs.wso2.com/en/latest/reference/faq/#how-can-i-add-authentication-headers-to-messages-going-out-of-the-api-gateway-to-the-backend

[apim.oauth_config]
enable_outbound_auth_header=true

2. This will be used to handle the ‘/revoke’ response with content-type of ‘text/html’ of the blocking client — https://apim.docs.wso2.com/en/latest/design/api-policies/regular-gateway-policies/configuring-message-builders-formatters/#default-message-builders-and-formatters

[message_builder]
text_html = "org.apache.axis2.builder.ApplicationXMLBuilder"

3. This will enable XPath 2.0 which needs for xpath function to be used in the mediation.

[synapse_properties]
'synapse.xpath.dom.failover.enabled'=true

🎀 Steps:

• With the above configurations restart the APIM server.
• Create, publish and deploy a new API[1],[2],[3].
• Subscribe this API with an Application[4]. You will need the consumer key and secret pair of this Application.
• Save the below policy content to a .xml file(ex: revokeToken.xml). Replace the <Base64 encoded{consumerKey:consumerSecret}> accordingly.

<header name=”Authorization” scope=”transport” value=”Basic <Base64 encoded{consumerKey:consumerSecret}>”/>
Ex: <header name=”Authorization” scope=”transport” value=”Basic ajFYUE8yVGdCck92dFBVWk0yd0Y2V0tSa21RYTpReVdLODY2djd2eEdkWTRMb3ZMaF8zOVppNTBh”/>

Policy content:

Add this policy to the newly created API by navigating to relevant API → API Configurations → Policies → Add New Policy[5]

Create new policy window

• After adding the policy we can engage this policy in our required resources by drag and drop the policy.

Adding policy to the resource

• Then Save and Deploy the changes.

That’s it with the configurations! 🍾 🔆

When invoking the API for the first time with a new token you will be able to successfully invoke it. With the same token the second time onwards(even within the validity period) you will not be allowed to invoke the API since the token has been already revoked in the previous API invocation. You will be ended with the following response.

ERROR - JWTValidator Invalid JWT token. XXXXX":"RS256"}
WARN - APIAuthenticationHandler API authentication failure due to Invalid Credentials

Hope this will useful!! ✌️👋

References:

[1] https://apim.docs.wso2.com/en/latest/design/create-api/create-rest-api/create-a-rest-api/
[2] https://apim.docs.wso2.com/en/latest/deploy-and-publish/publish-on-dev-portal/publish-an-api/
[3] https://apim.docs.wso2.com/en/latest/deploy-and-publish/deploy-on-gateway/deploy-api/deploy-an-api/
[4] https://apim.docs.wso2.com/en/latest/consume/manage-subscription/subscribe-to-an-api/
[5] https://apim.docs.wso2.com/en/latest/design/api-policies/create-policy/#creating-an-api-specific-policy