[prabaths]

Well... yes - one way to do that is to have a way to propagate revocation events from the issuer to the up stream applications - and each upstream application, possibly at the gateway level or at an inceptor will check the incoming tokens against a revoked list of tokens. You may also check: http://openid.net/wg/risc/.

[t1o5]

Like a revocation list of JTIs in an in-memory distributed cache to be checked by the edge service, yes not a bad idea, though there is a cost involved there.

[prabaths]

Yes - revocation is always tricky - that's why Netflix moved to short-lived certs - and forgot about cert revocation. Here is a blog I wrote on Netflix model: https://medium.facilelogin.com/short-lived-certificates-netf...