IBM Support

How to retrieve and revoke tokens associated with a login by using audit log

How To


Summary

Steps to revoke a token via its accessor by using jq to search the audit logs for the token's corresponding "display_name" field.

Steps

 

Introduction

When a user authenticates to Vault, a token is generated and returned back to the user. By default the token has the default system TTL of 32 days (768 hours), unless otherwise specified, and the token can be used to authenticate to Vault. 

In the event that a user has been removed/disabled in the authentication backend but the existing tokens of previous logins of this user are still valid, it is needed to revoke these tokens so they can no longer be used to authenticate to Vault.

In general the data in audit.log is HMAC'ed, so that it is not possible to retrieve the token or token accessor of an authenticated login directly from audit log. 

This article describes the steps to retrieve and revoke the token from Vault using the display_name field in the audit log. 

Procedure

  • Review the audit log and identify the display_name of the login
    Example :
    The example below shows the entries in the audit log of an OIDC authentication of an Auth0 account to Vault where the user_id on Auth0 is auth0|63e6586a2bc88f865b8de7e8

      "auth": {
        "client_token": "hmac-sha256:537a8826656feec0b0cef82405caca67c261a6dfeead8a00cad21a8d98b8b90c",
        "accessor": "hmac-sha256:2767740863da58bba83d62d3e14f8b126f9d136d1af63cc9f748ba190476ae1d",
        "display_name": "oidc-auth0|63e6586a2bc88f865b8de7e8",

  • Retrieve the token accessors associated with the login:oidc-auth0|63e6586a2bc88f865b8de7e8
    In the example below there are two existing accessors associated with the account auth0|63e6586a2bc88f865b8de7e8. Each of these accessors are tied to a token that can be revoked.

    $ vault list -format json auth/token/accessors | jq -r .[] | xargs -I '{}' vault token lookup -format json -accessor '{}' | jq -r 'select(.data.display_name == "oidc-auth0|63e6586a2bc88f865b8de7e8")' | jq -r .data.accessor

    XssWCIoT7Se6L8h1GpZ0UPhb
    kT1M8ubJ9qyezmr3SxmVxhs6

  • Revoke each of the tokens by using the token accessor

    $ vault token revoke -accessor XssWCIoT7Se6L8h1GpZ0UPhb
    Success! Revoked token (if it existed)

    $ vault token revoke -accessor kT1M8ubJ9qyezmr3SxmVxhs6
    Success! Revoked token (if it existed)
     

Additional Information

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSLC9Y2","label":"IBM Vault Self-Managed"},"ARM Category":[{"code":"a8mgJ0000000E4iQAE","label":"Vault-\u003ECore"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.14.10;1.14.11;1.14.12;1.14.13;1.14.4;1.14.5;1.14.6;1.14.7;1.14.8;1.14.9;1.15.0;1.15.1;1.15.10;1.15.11;1.15.12;1.15.13;1.15.14;1.15.15;1.15.16;1.15.2;1.15.3;1.15.4;1.15.5;1.15.6;1.15.7;1.15.8;1.15.9;1.16.0;1.16.1;1.16.10;1.16.11;1.16.12;1.16.13;1.16.14;1.16.15;1.16.16;1.16.17;1.16.18;1.16.19;1.16.2;1.16.20;1.16.21;1.16.22;1.16.23;1.16.24;1.16.25;1.16.26;1.16.27;1.16.28;1.16.29;1.16.3;1.16.30;1.16.31;1.16.4;1.16.5;1.16.6;1.16.7;1.16.8;1.16.9;1.17.0;1.17.1;1.17.10;1.17.11;1.17.12;1.17.13;1.17.14;1.17.15;1.17.16;1.17.17;1.17.18;1.17.2;1.17.3;1.17.4;1.17.5;1.17.6;1.17.7;1.17.8;1.17.9;1.18.0;1.18.1;1.18.10;1.18.11;1.18.12;1.18.13;1.18.14;1.18.15;1.18.2;1.18.3;1.18.4;1.18.5;1.18.6;1.18.7;1.18.8;1.18.9;1.19.0;1.19.1;1.19.10;1.19.11;1.19.12;1.19.13;1.19.14;1.19.15;1.19.16;1.19.17;1.19.2;1.19.3;1.19.4;1.19.5;1.19.6;1.19.7;1.19.8;1.19.9;1.20.0;1.20.1;1.20.10;1.20.11;1.20.2;1.20.3;1.20.4;1.20.5;1.20.6;1.20.7;1.20.8;1.20.9;1.21.0;1.21.1;1.21.2;1.21.3;1.21.4;1.21.5;1.21.6;2.0.0;2.0.1;4.2.0-5.4.0"}]

Historical Number

26090683347219

Document Information

Modified date:
09 June 2026

UID

ibm17264909

Page Feedback