Configuring token management and revocation for a native OAuth provider
Select whether to use a native gateway (DataPower) or third party endpoint for token revocation.
About this task
Token management enables you to prevent replay attacks by configuring token revocation. API Connect supports token revocation using a native gateway (DataPower) or a third party endpoint. For a native gateway, quota enforcement is used to manage tokens. For a third party endpoint, a URL to an external service is used to manage tokens.
For more information, see the IETF RFC 7009 OAuth 2.0 Token Revocation.
Token management relies on gateway-peering to distribute the cache for revocation details within a gateway cluster node, and does not propagate across different gateway clusters. In order to enforce token management across different gateway clusters, you must use the external token store and set the Token Management Type to External in your native OAuth provider configuration.
One of the following roles is required to configure token management and revocation for a native OAuth Provider:
- Organization Administrator
- Owner
- Custom role with the permissions
You can select the token management settings page for a native OAuth provider immediately on completion of the creation operation detailed in Configuring a native OAuth provider, or you can update the token management settings for an existing native OAuth provider. If you want to update the token management settings for an existing native OAuth provider, complete the following steps before following the procedure described in this topic: