Bug ID 606072: User deletion doesn't delete tokens issued for that user at max 15 seconds

Last Modified: Nov 22, 2021

Affected Product(s):
BIG-IP All(all modules)

Fixed In:

Opened: Jul 20, 2016

Severity: 3-Major


REST Framework polls for any changes in user every 15 seconds. When user is removed from MCP directly using tmsh or BIG-IP GUI, for REST that user will be still valid for at most 15 seconds. So any authentication tokens issued will not be invalidated and all REST API requests will work as that user remains valid until user deletion is synced.


After user deletion from MCP, tokens issued for that user will not immediately deleted from REST


This occurs when users are deleted and the user is still using iControl REST.


After user deletion, customer need to wait at most 15 seconds for change to take effect in REST API

Fix Information

When user is removed from REST, all tokens issued for that user is invalidated immediately. If a user is removed from MCP either using TMUI or tmsh, that change will be synced to REST after 15 seconds in the worse case.

Behavior Change

Auth token is removed upon user deletion.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips