Add OTT revoke API endpoint

[sergeysedoy97]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Now it's impossible to revoke created token.

Why is this needed?

Will be useful to have a CLI command and API endpoint to revoke created OTT. For example, if created token was published somewhere or just sent to wrong person.

[tashian]

Hi @sergeysedoy97 and @jenisov, the JWT tokens generated by step ca token are short-lived (5 minute expiry) tokens. The design goal is for you to be able to generate the token as close as possible to where you need it, deliver it, and then use it immediately, so it doesn't support revocation.

If you need a mechanism that allows for revocation, take a look at the X5C provisioner. With this provisioner, you could have two PKIs: one PKI issues certificates that can authenticate certificate requests in your other PKI. You might use an offline CA and an online CA for this. The certificates generated for use by the X5C provisioner can be revoked. However, there is no OTT option in the X5C provisioner— the authenticating certificate & private key can be used multiple times.

Can you share more about your use case?

[sergeysedoy97]

@tashian Hi, thank you for your response. We generate tokens manually, not via CLI, which allows us to create long-lived tokens with custom payload. Token goes through few services, and smallstep CA is an endpoint. If one of services in pipeline returned error, then we need to revoke token.