OAuth Token Revocation on BIG-IP devices using a BIG-IQ

Overview

You can use REST APIs to revoke OAuth tokens on one or more BIG-IP devices on a BIG-IQ Centralized Management system. There are three actions or parameters that can be used to revoke oauth tokens.

  • Revoke token by user.
  • Revoke token by client ID.
  • Revoke list of tokens.

Prerequisites

The following prerequisites must be met to use the API to revoke OAuth tokens.

  • All BIG-IP devices are operational and have the services provisioned that will be managed by the BIG-IQ Centralized Management system.
  • The BIG-IQ Centralized Management system is operational, has completed the setup wizard, and completed any other needed configuration.
  • Trust has been established between the BIG-IP device and the BIG-IQ Centralized Management system.
  • APM service is discovered for the BIG-IP device in BIG-IQ Centralized Management system.
  • APM configuration is imported, if Access group name needs to be used as input criteria.
  • Set up a Data Collection Device to your BIG-IQ Cluster. Please refer to the article “Managing a Data Collection Device Cluster section in the BIG-IQ Planning and Implementing an F5 BIG-IQ Centralized Management Deployment” guide on www.support.f5.com and “Add a Data Collection Device to your BIG-IQ Cluster” article on www.devcentral.f5.com.
  • To revoke OAuth tokens, users need the necessary RBAC permissions for the “Access_Manager” role.

Required Information

In addition to the prerequisites, the user must provide the following in order to revoke OAuth tokens.

  • BIG-IP device references - BIG-IP device references on which OAuth tokens are to be revoked.
  • Cluster Names – Cluster names used in BIG-IQ for the BIG-IP devices in which the oauth tokens to be revoked reside.
  • User Name - User Name of the user whose tokens needs to be revoked.
  • Access Group Names - Access Group names under which the BIG-IP devices, (in which the oauth tokens to be revoked reside), are managed.
  • Client Id - Unique id used as a reference for client session to BIGIP.
  • perDeviceOauthIds - List of one or more oauth id info object, with each object containing device reference and list of pair of id(oauth id) and clientId.

Actions

Using the BIG-IQ public API, users can complete the following actions to collect necessary information and revoke oauth tokens based on different revoke token actions.

  • Retrieve information on managed BIG-IP devices and from the response:
  • Find the cluster name of a device.
  • Find the device reference of a device.
  • Find the Access group name of a device
  • Retrieve list of OAuth client app for a given machine ID.
  • Retrieve list of per-device OAuth IDs on the managed BIG-IP devices.
  • Revoke tokens based on three types of actions.
  • Revoke token by user.
  • Revoke token by client ID.
  • Revoke list of tokens.

Get information on managed BIG-IP devices

To find managed BIG-IP devices, users must use the “MachineId Resolver” API. This API lists all managed device in the system.

GET: https:///mgmt/cm/system/machineid-resolver

Response

{
   "items":[
      {
         "uuid":"98901455-6384-47cd-bc41-00a39dfe338f",
         "deviceUri":"https://10.192.123.69:443",
         "machineId":"98901455-6384-47cd-bc41-00a39dfe338f",
         "state":"ACTIVE",
         "address":"10.255.4.124",
         "httpsPort":443,
         "hostname":"bluebigipveha1.labf.com",
         "version":"12.1.0",
         "product":"BIG-IP",
         "edition":"Final",
         "build":"0.0.1354",
         "restFrameworkVersion":"12.1.0-0.0.1354",
         "managementAddress":"10.192.123.69",
         "mcpDeviceName":"/Common/bluebigipveha1",
         "trustDomainGuid":"5189f81c-96be-4449-b4110050560102e7",
         "properties":{
            "cm:gui:module":[
               "Access",
               "BigIPDevice",
               "adc"
            ],
            "modules":[
               "All Access managed BIG-IP devices"
            ],
            "cm-adccore-allbigipDevices":{
               "supportsBadgerEnhs":true,
               "supportsRest":true,
               "supportsAlpineEnhs":true,
               "lastDiscoveredDateTime":"2016-11-10T19:06:14.804Z",
               "imported":true,
               "clusterName":"BlueCluster",
               "restrictsPortTranslationStatelessVirtual":true,
               "requiresDhcpProfileInDhcpVirtualServer":true,
               "importStatus":"FINISHED",
               "discoveryStatus":"FINISHED",
               "importedDateTime":"2016-11-10T19:14:39.003Z",
               "lastUserDiscoveredDateTime":"2016-11-10T19:06:14.804Z",
               "modules":[
                  "All Access managed BIG-IP devices"
               ],
               "cm:gui:module":[
                  "Access",
                  "BigIPDevice",
                  "adc"
               ],
               "discovered":true,
               "supportsClassification":true
            },
            "cm-bigip-allBigIpDevices":{
               "shared:resolver:device-groups:discoverer":"d5d58cdd-f5b5-4379-9d12-08e28253a16f",
               "cm:gui:module":[
                  "BigIPDevice"
               ],
               "modules":[

               ]
            },
            "cm-bigip-allDevices":{
               "shared:resolver:device-groups:discoverer":"d5d58cdd-f5b5-4379-9d12-08e28253a16f",
               "cm:gui:module":[

               ],
               "modules":[

               ]
            },
            "cm-access-allBigIpDevices":{
               "discovered":true,
               "imported":true,
               "clusterName":"BlueCluster",
               "supportsRest":true,
               "supports_13_0_Enhs":false,
               "supportsCascadeEnhs":true,
               "lastDiscoveredDateTime":"2016-11-10T19:15:18.963Z",
               "lastUserDiscoveredDateTime":"2016-11-10T19:15:18.963Z",
               "cm:access:access-group-name":"TestGroup",
               "cm:access:source-device":true,
               "cm:access:access-group-device-link":"https://localhost/mgmt/shared/resolver/device-groups/CA/devices/98901455-6384-47cd-bc41-00a39dfe338f",
               "cm:access:import-version":"12.1.0",
               "cm:access:access-group-link":"https://localhost/mgmt/shared/resolver/device-groups/TestGroup",
               "importedDateTime":"2016-11-10T19:17:04.459Z",
               "discoveryStatus":"FINISHED",
               "importStatus":"FINISHED",
               "cm:gui:module":[
                  "Access"
               ],
               "modules":[
                  "All Access managed BIG-IP devices"
               ]
            },
            "cm-bigip-cluster_BlueCluster":{
               "clusterName":"BlueCluster",
               "shared:resolver:device-groups:discoverer":"da4a4ca7-19f9-4a31-a1c2-004d5557ff10",
               "cm:gui:module":[

               ],
               "modules":[

               ]
            },
            "cm-access-allDevices":{
               "clusterName":"BlueCluster",
               "cm:gui:module":[
                  "Access"
               ],
               "modules":[
                  "All Access managed BIG-IP devices"
               ]
            },
            "TestGroup":{
               "discovered":true,
               "imported":false,
               "supportsRest":true,
               "supports_13_0_Enhs":false,
               "supportsCascadeEnhs":true,
               "discoveryStatus":"FINISHED",
               "lastDiscoveredDateTime":"2016-10-26T04:15:56.356Z",
               "lastUserDiscoveredDateTime":"2016-10-26T04:15:56.356Z",
               "cm:access:all-bigip-device-link":"https://localhost/mgmt/shared/resolver/device-groups/cm-access-allBigIpDevices/devices/98901455-6384-47cd-bc41-00a39dfe338f",
               "cm:access:import-version":"12.1.0",
               "cm:access:source-device":true,
               "cm:gui:module":[
                  "Access"
               ],
               "modules":[
                  "All Access managed BIG-IP devices"
               ]
            },
            "cm-adccore-allDevices":{
               "cm:gui:module":[

               ],
               "modules":[

               ]
            }
         },
         "isClustered":false,
         "isVirtual":true,
         "isLicenseExpired":false,
         "slots":[
            {
               "volume":"HD1.1",
               "product":"BIG-IP",
               "version":"12.1.0",
               "build":"0.0.1354",
               "isActive":true
            },
            {
               "volume":"HD1.3",
               "product":"BIG-IP",
               "version":"12.0.0",
               "build":"0.0.606",
               "isActive":false
            }
         ],
         "generation":67,
         "lastUpdateMicros":1479332833705505,
         "kind":"shared:resolver:device-groups:restdeviceresolverdevicestate",
         "selfLink":"https://localhost/mgmt/cm/system/machineid-resolver/98901455-6384-47cd-bc41-00a39dfe338f"
      }
   ],
   "generation":0,
   "lastUpdateMicros":0,
   "selfLink":"http://localhost:8100/cm/system/machineid-resolver/?$filter=%27address%27+eq+%2710.192.123.198%27"
}

Find the cluster name of a device that is part of a cluster from GET “MachineId Resolver” API response

{
   "properties":{
      "cm-access-allBigIpDevices":{
         "clusterName":"BlueCluster"
      }
   }
}

Find machine id and device reference of a device from GET “MachineId Resolver API” response

{
"selfLink":"http://localhost:8100/cm/system/machineid-resolver/?$filter=%27address%27+eq+%2710.192.123.198%27"
}

Find Access Group Name of the device from GET “MachineId Resolver” API response

{
   "properties":{
      "cm-access-allBigIpDevices":{
         "cm:access:access-group-name":"TestGroup"
      }
   }
}

Get a list of OAuth Client App for given machine ID

To get a list of all OAuth client app info containing a client ID, perform the following GET command on a OAuth client app API with a filter to retrieve only client apps for the machine ID of the given device (refer to “Find device reference of a device” to get the machine id of an device). In the response, clientId refers to the client ID of the OAuth client app.

GET: https:///mgmt/cm/access/working-config/apm/oauth/oauth-client-app?$filter='lsoDeviceReference/machineId' eq '26a65814-a2f4-4e91-9853-13e2e14d921a'&$select=appName,name,clientId

Response

{
   "selfLink":"https://localhost/mgmt/cm/access/working-config/apm/oauth/oauth-client-app",
   "totalItems":2,
   "items":[
      {
         "appName":"Shutterfly",
         "clientId":"89923892aed8eb142a8871058da9005056b09ae221df6a57",
         "name":"shutterfly-client"
      },
      {
         "appName":"Maps",
         "clientId":"5b3e8851b1d872feed3086484141005056b09ae2d5277c57",
         "name":"maps-client"
      }
   ],
   "generation":7,
   "kind":"cm:access:working-config:apm:oauth:oauth-client-app:oauthclientappcollectionstate",
   "lastUpdateMicros":1478208069057233
}

Revoke All OAuth Tokens for a User

You can revoke all OAuth tokens for a user on one or more BIG-IP devices that matches one or more input criteria specified below. To use this action, “action” must be set to “REVOKE_TOKEN_FOR_USER” and must have at least one of the “accessGroupNames”, “clusterNames”, or “deviceRefernces” filters. They can be obtained from “Get information on managed BIG-IP devices”.

POST:  https:///mgmt/cm/access/tasks/revoke-tokens

Body of POST for the revoke tokens worker:

{
   "action":" REVOKE_TOKEN_FOR_USER",
   "userName": "user1",
   "accessGroupNames":[
      "TestGroup1",
      "TestGroup2"
   ],
   "clusterNames":[
      "BlueCluster",
      "RedCluster"
   ],
   "deviceReferences":[
      {
         "link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
      },
      {
         "link":"https://localhost/mgmt/cm/system/machineid-resolver/3f320100-2177-42e0-8a46-2e33cd3366d"
      }
   ]
}

Response

{
   "action":"REVOKE_TOKEN_FOR_USER",
   "userName": "user1",
   "currentStep": “DONE",
   "status": "FINISHED",
   "accessGroupNames":[
      "TestGroup1",
      "TestGroup2"
   ],
   "clusterNames":[
      "BlueCluster",
      "RedCluster"
   ],
   "deviceReferences":[
      {
         "link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
      },
      {
         "link":"https://localhost/mgmt/cm/system/machineid-resolver/3f320100-2177-42e0-8a46-2e33cd3366d"
      }
   ],
   "generation":7,
   "id":"5b688828-2279-40b0-9dc1-eccdebb6837f",
   "identityReferences":[
      {
         "link":"https://localhost/mgmt/shared/authz/users/admin"
      }
   ],
   "kind":"cm:access:tasks:revoke-tokens:oauthrevoketokentaskitemstate",
   "lastUpdateMicros":1473733104269292,
   "ownerMachineId":"fd870e82-842d-4194-a882-71cb92e2a5c3",
   "selfLink":"https://localhost/mgmt/cm/access/tasks/revoke-tokens/5b688828-2279-40b0-9dc1-eccdebb6837f",
   "startDateTime":"2016-09-12T19:18:23.451-0700",
   "userReference":{
      "link":"https://localhost/mgmt/shared/authz/users/admin"
   },
   "username":"admin"
}

Revoke Token by Client ID

You can revoke all OAuth tokens for given client ID in one or more BIG-IP devices that matches one or more input criteria specified below. To use this action, “action” must be set to “REVOKE_TOKEN_FOR_CLIENT_ID” and must have at least one of the “accessGroupNames”, “clusterNames” and “deviceReferences” filters. They can be obtained from “Get info on managed BIG-IP devices” and “Get a list of OAuth Client App for given machine id”.

POST:  https:///mgmt/cm/access/tasks/revoke-tokens

Body of POST for the revoke tokens worker.

{
   "action":"REVOKE_TOKEN_FOR_CLIENT_ID",
   "clientId":"e3f3e7204d00d88ad92cbb970dd5005056b093adfa6d7457",
   "accessGroupNames":[
      "TestGroup1",
      "TestGroup2"
   ],
   "clusterNames":[
      "BlueCluster",
      "RedCluster"
   ],
   "deviceReferences":[
      {
         "link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
      },
      {
         "link":"https://localhost/mgmt/cm/system/machineid-resolver/3f320100-2177-42e0-8a46-2e33cd3366d"
      }
   ]
}

Response

{
   "action":" REVOKE_TOKEN_FOR_CLIENT_ID",
   "clientId":"e3f3e7204d00d88ad92cbb970dd5005056b093adfa6d7457",
    "currentStep": “DONE",
   "status": "FINISHED",
   "accessGroupNames":[
      "TestGroup1",
      "TestGroup2"
   ],
   "clusterNames":[
      "BlueCluster",
      "RedCluster"
   ],
   "deviceReferences":[
      {
         "link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
      },
      {
         "link":"https://localhost/mgmt/cm/system/machineid-resolver/3f320100-2177-42e0-8a46-2e33cd3366d"
      }
   ],
   "generation":7,
   "id":"5b688828-2279-40b0-9dc1-eccdebb6837f",
   "identityReferences":[
      {
         "link":"https://localhost/mgmt/shared/authz/users/admin"
      }
   ],
   "kind":"cm:access:tasks:revoke-tokens:oauthrevoketokentaskitemstate",
   "lastUpdateMicros":1473733104269292,
   "ownerMachineId":"fd870e82-842d-4194-a882-71cb92e2a5c3",
   "selfLink":"https://localhost/mgmt/cm/access/tasks/revoke-tokens/5b688828-2279-40b0-9dc1-eccdebb6837f",
   "startDateTime":"2016-09-12T19:18:23.451-0700",
   "userReference":{
      "link":"https://localhost/mgmt/shared/authz/users/admin"
   },
   "username":"admin"
}

Revoke List of Tokens

You can revoke a list of OAuth tokens in one or more BIG-IP devices that matches one or more input criteria specified below. To use this action, “action” must be set to “REVOKE_LIST_OF_TOKENS”; “perDeviceOauthIds” is required field (Note: * OAuth ID’s that has to be revoked need to be manually determined, currently there is no API support to list session information. In the BIG-IQ UI, token information can be found in the Monitoring tab under Dashboards & Reports-> Access-> OAuth-> Tokens. If the OAuth ID column is not visible, it needs to be selected in Grid Settings on the top left most corner of the tokens table and must have at least one of the “accessGroupNames”, “clusterNames”, or “deviceRefernces” filters. They can be obtained from “Get information on managed BIG-IP devices”.

POST:  https:///mgmt/cm/access/tasks/revoke-tokens

Body of POST for the revoke tokens worker.

{

   "action":"REVOKE_LIST_OF_TOKENS",
   "perDeviceOauthIds":[
      {
         "oauthIds":[
            {
               "id":"da6d57ffab9decbe9d75b7fdd4440ad43bedc7a475f3105b",
               "clientId":"e3f3e7204d00d88ad92cbb970dd5005056b093adfa6d7457"
            },
            {
               "id":"0df998ae62ace6fb6a82bb745b8586e7306afb94e3ca146a",
               "clientId":"e3f3e7204d00d88ad92cbb970dd5005056b093adfa6d7457"
            }
         ],
         "deviceReference":{
            "link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
         }
      },
      {
         "oauthIds":[
            {
               "id":"e3f3e7204d00d88ad92cbb970dd5005056b093adfa6d7457",
               "clientId":"bb745b8586e7306afb94"
            },
            {
               "id":"8586e7306afb8586e7306afb8586e7306afb",
               "clientId":"8ad92cbb970dd500"
            }
         ],
         "deviceReference":{
            "link":"https://localhost/mgmt/cm/system/machineid-resolver/23h4jkhk324-f405-489f-kj3434-98234"
         }
      }
   ],
   "accessGroupNames":[
      "TestGroup1",
      "TestGroup2"
   ],
   "clusterNames":[
      "BlueCluster",
      "RedCluster"
   ],
   "deviceReferences":[
      {
         "link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
      },
      {
         "link":"https://localhost/mgmt/cm/system/machineid-resolver/3f320100-2177-42e0-8a46-2e33cd3366d"
      }
   ]
}

Response

{
   "action":"REVOKE_LIST_OF_TOKENS",
   "perDeviceOauthIds":[
      {
         "oauthIds":[
            {
               "id":"da6d57ffab9decbe9d75b7fdd4440ad43bedc7a475f3105b",
               "clientId":"e3f3e7204d00d88ad92cbb970dd5005056b093adfa6d7457"
            },
            {
               "id":"0df998ae62ace6fb6a82bb745b8586e7306afb94e3ca146a",
               "clientId":"e3f3e7204d00d88ad92cbb970dd5005056b093adfa6d7457"
            }
         ],
         "deviceReference":{
            "link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
         }
      },
      {
         "oauthIds":[
            {
               "id":"e3f3e7204d00d88ad92cbb970dd5005056b093adfa6d7457",
               "clientId":"bb745b8586e7306afb94"
            },
            {
               "id":"8586e7306afb8586e7306afb8586e7306afb",
               "clientId":"8ad92cbb970dd500"
            }
         ],
         "deviceReference":{
            "link":"https://localhost/mgmt/cm/system/machineid-resolver/23h4jkhk324-f405-489f-kj3434-98234"
         }
      }
   ],
   "currentStep": “DONE",
   "status": "FINISHED",
   "accessGroupNames":[
      "TestGroup1",
      "TestGroup2"
   ],
   "clusterNames":[
      "BlueCluster",
      "RedCluster"
   ],
   "deviceReferences":[
      {
         "link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
      },
      {
         "link":"https://localhost/mgmt/cm/system/machineid-resolver/3f320100-2177-42e0-8a46-2e33cd3366d"
      }
   ],
   "generation":7,
   "id":"5b688828-2279-40b0-9dc1-eccdebb6837f",
   "identityReferences":[
      {
         "link":"https://localhost/mgmt/shared/authz/users/admin"
      }
   ],
   "kind":"cm:access:tasks:revoke-tokens:oauthrevoketokentaskitemstate",
   "lastUpdateMicros":1473733104269292,
   "ownerMachineId":"fd870e82-842d-4194-a882-71cb92e2a5c3",
   "selfLink":"https://localhost/mgmt/cm/access/tasks/revoke-tokens/5b688828-2279-40b0-9dc1-eccdebb6837f",
   "startDateTime":"2016-09-12T19:18:23.451-0700",
   "userReference":{
      "link":"https://localhost/mgmt/shared/authz/users/admin"
   },
   "username":"admin"
}

Monitor the “revoke OAuth tokens” task

Monitor the task using GET methods until the status has reached a value of FINISHED, FAILED, or CANCELLED. When the GET method status value is FINISHED and the result value is COMPLETE, the revoke OAuth tokens is complete.

GET: https:///mgmt/cm/access/tasks/revoke-tokens/

Response

{
   "action":"REVOKE_LIST_OF_TOKENS",
   "perDeviceOauthIds":[
      {
         "oauthIds":[
            {
               "id":"da6d57ffab9decbe9d75b7fdd4440ad43bedc7a475f3105b",
               "clientId":"e3f3e7204d00d88ad92cbb970dd5005056b093adfa6d7457"
            },
            {
               "id":"0df998ae62ace6fb6a82bb745b8586e7306afb94e3ca146a",
               "clientId":"e3f3e7204d00d88ad92cbb970dd5005056b093adfa6d7457"
            }
         ],
         "deviceReference":{
            "link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
         }
      },
      {
         "oauthIds":[
            {
               "id":"e3f3e7204d00d88ad92cbb970dd5005056b093adfa6d7457",
               "clientId":"bb745b8586e7306afb94"
            },
            {
               "id":"8586e7306afb8586e7306afb8586e7306afb",
               "clientId":"8ad92cbb970dd500"
            }
         ],
         "deviceReference":{
            "link":"https://localhost/mgmt/cm/system/machineid-resolver/23h4jkhk324-f405-489f-kj3434-98234"
         }
      }
   ],
   "currentStep":"RESOLVE_DEVICES",
   "status": "STARTED",
   "accessGroupNames":[
      "TestGroup1",
      "TestGroup2"
   ],
   "clusterNames":[
      "BlueCluster",
      "RedCluster"
   ],
   "deviceReferences":[
      {
         "link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
      },
      {
         "link":"https://localhost/mgmt/cm/system/machineid-resolver/3f320100-2177-42e0-8a46-2e33cd3366d"
      }
   ],
   "generation":7,
   "id":"5b688828-2279-40b0-9dc1-eccdebb6837f",
   "identityReferences":[
      {
         "link":"https://localhost/mgmt/shared/authz/users/admin"
      }
   ],
   "kind":"cm:access:tasks:revoke-tokens:oauthrevoketokentaskitemstate",
   "lastUpdateMicros":1473733104269292,
   "ownerMachineId":"fd870e82-842d-4194-a882-71cb92e2a5c3",
   "selfLink":"https://localhost/mgmt/cm/access/tasks/revoke-tokens/5b688828-2279-40b0-9dc1-eccdebb6837f",
   "startDateTime":"2016-09-12T19:18:23.451-0700",
   "userReference":{
      "link":"https://localhost/mgmt/shared/authz/users/admin"
   },
   "username":"admin"
}
GET: https:///mgmt/cm/access/tasks/revoke-tokens/

Response

{
   "action":"REVOKE_LIST_OF_TOKENS",
   "perDeviceOauthIds":[
      {
         "oauthIds":[
            {
               "id":"da6d57ffab9decbe9d75b7fdd4440ad43bedc7a475f3105b",
               "clientId":"e3f3e7204d00d88ad92cbb970dd5005056b093adfa6d7457"
            },
            {
               "id":"0df998ae62ace6fb6a82bb745b8586e7306afb94e3ca146a",
               "clientId":"e3f3e7204d00d88ad92cbb970dd5005056b093adfa6d7457"
            }
         ],
         "deviceReference":{
            "link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
         }
      },
      {
         "oauthIds":[
            {
               "id":"e3f3e7204d00d88ad92cbb970dd5005056b093adfa6d7457",
               "clientId":"bb745b8586e7306afb94"
            },
            {
               "id":"8586e7306afb8586e7306afb8586e7306afb",
               "clientId":"8ad92cbb970dd500"
            }
         ],
         "deviceReference":{
            "link":"https://localhost/mgmt/cm/system/machineid-resolver/23h4jkhk324-f405-489f-kj3434-98234"
         }
      }
   ],
   "currentStep": “DONE",
   "status": "FINISHED",
   "accessGroupNames":[
      "TestGroup1",
      "TestGroup2"
   ],
   "clusterNames":[
      "BlueCluster",
      "RedCluster"
   ],
   "deviceReferences":[
      {
         "link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
      },
      {
         "link":"https://localhost/mgmt/cm/system/machineid-resolver/3f320100-2177-42e0-8a46-2e33cd3366d"
      }
   ],
   "generation":7,
   "id":"5b688828-2279-40b0-9dc1-eccdebb6837f",
   "identityReferences":[
      {
         "link":"https://localhost/mgmt/shared/authz/users/admin"
      }
   ],
   "kind":"cm:access:tasks:revoke-tokens:oauthrevoketokentaskitemstate",
   "lastUpdateMicros":1473733104269292,
   "ownerMachineId":"fd870e82-842d-4194-a882-71cb92e2a5c3",
   "selfLink":"https://localhost/mgmt/cm/access/tasks/revoke-tokens/5b688828-2279-40b0-9dc1-eccdebb6837f",
   "startDateTime":"2016-09-12T19:18:23.451-0700",
   "userReference":{
      "link":"https://localhost/mgmt/shared/authz/users/admin"
   },
   "username":"admin"
}

Result

By using the BIG-IQ public API to perform the above tasks, users can write a script to complete the workflow to revoke OAuth Token on BIG-IP devices.