Revoke OAuth application In APIM 2.1.0

  1. Introduction

  2. In APIM when subscriber create and application and generate a key in identity component it will generate an appropriate OAuth application. When an application is added it will contain the consumer key and consumer secret. These values are also shown in the store application. And those are used to generate or renew token later using store UI or token endpoint.

    But these application credentials is a constant for entire life cycle of the application and it can be destroy only if application is delete. That mean there are no any way to change the consumer secret of the application.

    Usage of changing a consumer secret is, some time organization need to be invalidate current token and regenerating those token for that application. A possible solution would be changing this consumer secret only. But up to APIM 2.0.0 this was not possible. But APIM latest version(2.1.0) this feature is available.

  3. Revoke consumer secret

  4. Admin users can change the consumer secret of a any OAuth application my login in to the management console of Auth components are available(APIM or IS). Once consumer secret is revoked all the associated tokens are invalidated and cache are also get cleared. Thus it prevent API invocation for that access token as well as it prevent to token re-generate for that application. Once a consumer secret is revoked OAuth application also get invalided and it is inactive. But this behavior will be affect to the API subscription and still allowed to subscribe to the API in APIM store. Also if an OAuth application is revoked it is impossible to regenerate token using store UI or token endpoint. Even though consumer secret is revoked it is not get removed from the OAuth application and store will show the same value further.

    • Logging to management console and select the appropriate service provide for the application.
    • Edit the service provider and expand it to get “OAuth/OpenID Connect Configuration”
    • Then the OAuth application will be listed
    • Click the revoke button to revoke the consumer secret
  5. Regenerate consumer secret

    • Login the management console and go the OAuth application
    • Next to revoke button, “Regenerate secret” button will appear
    • Click it to re-generate consumer secret
    • Then store also reload the new consumer secret
  6. References

    1. https://docs.wso2.com/display/IS530/Configuring+OAuth2-OpenID+Connect+Single-Sign-On