When calling the revoke endpoint (/oauth2/token/revoke) and revoking a refresh token (which also revokes the access token), there are a large number (8) LDAP operations that go into revoking the tokens. The LDAP operations associated with a revoke are:
SEARCH for the grant token (coreTokenId=b2ab918f-1961-489f-ab09-0d7305ab5fea)
DELETE the grant token
ADD a blacklist entry for the grant token (coreTokenId=blacklist-oauth2-stateless-b2ab918f-1961-489f-ab09-0d7305ab5fea)
SEARCH for associated tokens (coreTokenString15=afd308bc-ab6c-4a55-9589-09320e6f5252)
ADD a blacklist entry for refresh token (coreTokenId=blacklist-oauth2-stateless-1ebb1958-a8db-40fc-806a-42b46a1ad884)
DELETE the refresh token (coreTokenId=1ebb1958-a8db-40fc-806a-42b46a1ad884)
ADD a blacklist entry for access token (coreTokenId=blacklist-oauth2-stateless-8212086a-4516-4999-b561-bfb82e72542a)
DELETE the access token (coreTokenId=8212086a-4516-4999-b561-bfb82e72542a)
In addition, revoking the refresh token does not reduce the number of tokens in the CTS as each token now has an associated blacklist entry which may cause unexpected growth of the CTS DB.
DJ Log of operations is attached.
Also attached is an ldif of CTS before and after