Invalidate Token API

Invalidate Token Request

The InvalidateTokenRequest supports invalidating

  1. A specific token, that can be either an access token or a refresh token
  2. All tokens (both access tokens and refresh tokens) for a specific realm
  3. All tokens (both access tokens and refresh tokens) for a specific user
  4. All tokens (both access tokens and refresh tokens) for a specific user in a specific realm

Specific access token

InvalidateTokenRequest invalidateTokenRequest = InvalidateTokenRequest.accessToken(accessToken);

Specific refresh token

InvalidateTokenRequest invalidateTokenRequest = InvalidateTokenRequest.refreshToken(refreshToken);

All tokens for realm

InvalidateTokenRequest invalidateTokenRequest = InvalidateTokenRequest.realmTokens("default_native");

All tokens for user

InvalidateTokenRequest invalidateTokenRequest = InvalidateTokenRequest.userTokens("other_user");

All tokens for user in realm

InvalidateTokenRequest invalidateTokenRequest = new InvalidateTokenRequest(null, null, "default_native", "extra_user");

Synchronous Execution

When executing a InvalidateTokenRequest in the following manner, the client waits for the InvalidateTokenResponse to be returned before continuing with code execution:

InvalidateTokenResponse invalidateTokenResponse =
    client.security().invalidateToken(invalidateTokenRequest, RequestOptions.DEFAULT);

Synchronous calls may throw an IOException in case of either failing to parse the REST response in the high-level REST client, the request times out or similar cases where there is no response coming back from the server.

In cases where the server returns a 4xx or 5xx error code, the high-level client tries to parse the response body error details instead and then throws a generic ElasticsearchException and adds the original ResponseException as a suppressed exception to it.

Asynchronous Execution

Executing a InvalidateTokenRequest can also be done in an asynchronous fashion so that the client can return directly. Users need to specify how the response or potential failures will be handled by passing the request and a listener to the asynchronous invalidate-token method:

client.security().invalidateTokenAsync(invalidateTokenRequest, RequestOptions.DEFAULT, listener); 

The InvalidateTokenRequest to execute and the ActionListener to use when the execution completes

The asynchronous method does not block and returns immediately. Once it is completed the ActionListener is called back using the onResponse method if the execution successfully completed or using the onFailure method if it failed. Failure scenarios and expected exceptions are the same as in the synchronous execution case.

A typical listener for invalidate-token looks like:

listener = new ActionListener<InvalidateTokenResponse>() {
    @Override
    public void onResponse(InvalidateTokenResponse invalidateTokenResponse) {
        
    }

    @Override
    public void onFailure(Exception e) {
        
    }
};

Called when the execution is successfully completed.

Called when the whole InvalidateTokenRequest fails.

Invalidate Token Response

The returned InvalidateTokenResponse contains the information regarding the tokens that the request invalidated.

invalidatedTokens
Available using getInvalidatedTokens denotes the number of tokens that this request invalidated.
previouslyInvalidatedTokens
Available using getPreviouslyInvalidatedTokens denotes the number of tokens that this request attempted to invalidate but were already invalid.
errors
Available using getErrors contains possible errors that were encountered while attempting to invalidate specific tokens.
final List<ElasticsearchException> errors = invalidateTokenResponse.getErrors();
final int invalidatedTokens = invalidateTokenResponse.getInvalidatedTokens();
final int previouslyInvalidatedTokens = invalidateTokenResponse.getPreviouslyInvalidatedTokens();