I am using service account key JSON to mint access tokens
My understanding:
Service Account Access Tokens
-
When you sign a JWT with the private key and exchange it for an access token, that token is short-lived (≤1 hour).
-
These tokens are not backed by refresh tokens.
-
Google does not track them centrally, so there is no API to revoke a token once issued.
That means:
-
You cannot revoke a single active session/token that was minted with your key.
-
The only way to cut off usage is to delete or disable the service account key itself.
I do not want to delete the service account, is there any other method to revoke,or any way to obtain the token
Hi @GCP_USER,
Both options below that you may find helpful:
- Delete the cookie (CorpLogin) for your domain. This isn’t the same as logging out, your session in login.corp (which uses a distinct cookie) remains active and is not cleared. When you try to access your service it will detect that there is no CorpLogin cookie and redirect your browser to get a new one. This differs from an expired cookie, but it is equivalent (an expired cookie will also cause the same redirect). The specific cookie name varies by service. For instance, with UberProxy (which is probably the service you are referring to) has a flag which can be used to set it. But in general they are named GSSO_ or Host-GSSO or SSO or SSO or similar.
- You can only do this if you manage the service being accessed: adjust the maxAge (or a similarly named setting) in the CorpLogin libraries to a shorter duration, prompting more frequent authentication by your server. Not less than 10 minutes as recommended.
You may check this documentation for reference:
The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token. The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client. If a new refresh token is issued, the refresh token scope MUST be identical to that of the refresh token included by the client in the request.
Others resolved their issue by fully logging out:
Logging you out of each of the corp SSO services you’re logged into. If logout fails for any of the services below, you must click on the provided link to log out of that service. You can eliminate this problem by enabling third-party cookies for login.corp.google.com and for all the services you use, or you can always log out of all services by closing all your browser windows.
go/logout - but before clicking this one make sure you are ready to be logged out.
1 Like
Service accounts after they create access token are not managed by google. hence there is no way of revoking it. Is there any alternative programmatically