Revocations

Plan B allows revoking JWT tokens via three different revocation types:

TOKEN
Revoke single JWT tokens.
CLAIM
Revoke all JWTs having a specific claim value.
GLOBAL
Revoke all JWTs issued before a certain date.

Revocations are stored in Cassandra and the Token Info component regularly polls for deltas.

Revoking a Single Token

$ tok=... # some valid token accepted by the configured TOKENINFO_URL
$ curl -X POST \
     -H "Authorization: Bearer $tok" \
     -H 'Content-Type: application/json' \
     -d '{"type": "TOKEN", "data": {"token": "..."}}' \
     "https://planb-revocation.example.org/revocations"

Revoking Tokens by Claims

Revoking all tokens issued up to now with subject (username) “jdoe”:

$ tok=... # some valid token accepted by the configured TOKENINFO_URL
$ curl -X POST \
     -H "Authorization: Bearer $tok" \
     -H 'Content-Type: application/json' \
     -d '{"type": "CLAIM", "data": {"claims": {"sub": "jdoe"}}}' \
     "https://planb-revocation.example.org/revocations"

Forcing Token Info to refresh from certain Timestamp

$ tok=... # some valid token accepted by the configured TOKENINFO_URL
$ curl -X POST \
    -H "Authorization: Bearer $tok" \
    https://planb-revocation.example.org/notifications/REFRESH_FROM?value=123