NGINX must revoke access tokens in accordance with organization-defined identification and authentication policy.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-278411	SRG-APP-001020	NGNX-APP-003330	SV-278411r1172756_rule	2026-01-07	1

Description
An access token is a piece of data that represents the authorization granted to a user or NPE to access specific systems or information resources. Access tokens enable controlled access to services and resources. Properly managing the lifecycle of access tokens, including their issuance, validation, and revocation, is crucial to maintaining confidentiality of data and systems. Restricting token validity to a specific audience, e.g., an application or security domain, and restricting token validity lifetimes are important practices. Access tokens are revoked or invalidated if they are compromised, lost, or are no longer needed to mitigate the risks associated with stolen or misused tokens. Satisfies: SRG-APP-001020, SRG-APP-001025

Description

An access token is a piece of data that represents the authorization granted to a user or NPE to access specific systems or information resources. Access tokens enable controlled access to services and resources. Properly managing the lifecycle of access tokens, including their issuance, validation, and revocation, is crucial to maintaining confidentiality of data and systems. Restricting token validity to a specific audience, e.g., an application or security domain, and restricting token validity lifetimes are important practices. Access tokens are revoked or invalidated if they are compromised, lost, or are no longer needed to mitigate the risks associated with stolen or misused tokens. Satisfies: SRG-APP-001020, SRG-APP-001025

ℹ️ Check
Verify NGINX Plus revokes or invalidates access tokens: Check support for token revocation enforcement: # grep -i "introspect\\|revok\\|blacklist\\|logout" /etc/nginx/conf.d/.conf Confirm token validation includes checking revocation status using: - OAuth2 introspection endpoint. - Token revocation list. - Allowlist or deny-list implementation. - Explicit session logout propagation. Inspect logout and session termination handling: # grep -i "session_timeout\\|logout\\|revoke" /etc/nginx/conf.d/.conf Ensure sessions are invalidated upon: - User logout. - Token expiration. - Authentication source change (e.g., password reset). Token revocation events (manual or automatic) must be logged with user ID, reason, and timestamp. If NGINX Plus does not support access token revocation or fails to enforce revocation upon compromise or logout, this is a finding.

ℹ️ Check

Verify NGINX Plus revokes or invalidates access tokens: Check support for token revocation enforcement: # grep -i "introspect\|revok\|blacklist\|logout" /etc/nginx/conf.d/*.conf Confirm token validation includes checking revocation status using: - OAuth2 introspection endpoint. - Token revocation list. - Allowlist or deny-list implementation. - Explicit session logout propagation. Inspect logout and session termination handling: # grep -i "session_timeout\|logout\|revoke" /etc/nginx/conf.d/*.conf Ensure sessions are invalidated upon: - User logout. - Token expiration. - Authentication source change (e.g., password reset). Token revocation events (manual or automatic) must be logged with user ID, reason, and timestamp. If NGINX Plus does not support access token revocation or fails to enforce revocation upon compromise or logout, this is a finding.

✔️ Fix
Configure NGINX Plus to enforce access token revocation mechanisms. Enable token revocation via introspection endpoint (OIDC/OAuth2): location = /token/introspect { internal; proxy_pass https://auth.example.mil/oauth2/introspect; proxy_set_header Content-Type "application/x-www-form-urlencoded"; proxy_pass_request_body on; proxy_set_body "token=$http_authorization"; } Fail-closed on invalid or revoked token: location /secure/ { auth_request /token/introspect; error_page 401 = @error_revoke; } location @error_revoke { return 401 "Access token revoked or invalid."; } Revoke tokens during logout flows: Redirect logout requests to IdP to invalidate tokens: location = /logout { return 302 https://auth.example.mil/logout?token=$http_authorization; } Log all token revocation events: log_format token_revocation '$remote_addr - $remote_user [$time_local] ' '"$request" status=$status ' 'token_id="$jwt_jti" revoked="true" '; access_log /var/log/nginx/token_revocation.log token_revocation;

✔️ Fix

Configure NGINX Plus to enforce access token revocation mechanisms. Enable token revocation via introspection endpoint (OIDC/OAuth2): location = /token/introspect { internal; proxy_pass https://auth.example.mil/oauth2/introspect; proxy_set_header Content-Type "application/x-www-form-urlencoded"; proxy_pass_request_body on; proxy_set_body "token=$http_authorization"; } Fail-closed on invalid or revoked token: location /secure/ { auth_request /token/introspect; error_page 401 = @error_revoke; } location @error_revoke { return 401 "Access token revoked or invalid."; } Revoke tokens during logout flows: Redirect logout requests to IdP to invalidate tokens: location = /logout { return 302 https://auth.example.mil/logout?token=$http_authorization; } Log all token revocation events: log_format token_revocation '$remote_addr - $remote_user [$time_local] ' '"$request" status=$status ' 'token_id="$jwt_jti" revoked="true" '; access_log /var/log/nginx/token_revocation.log token_revocation;