Revoking OAuth Tokens
Access tokens and refresh tokens expire at some point in time. Access tokens tend to expire quickly, whereas refresh tokens last longer. Their validity period is set when created. The period for which they are valid depends on factors such as:
- How the user authenticated and when
- The client application that was used
- The scopes that the user delegated
Other contextual information can be considered when setting the duration of validity as well. When a token should be expired before this time, it should be revoked.
This tutorial builds on the configuration setup described in the "First Configuration" and the "Configure an Authenticator" steps under the menu "Getting Started". If you haven't done those steps yet you can visit those guides here:
It's possible to run this tutorial on a custom setup also, but the URLs may be different, as well as the capabilities configured in the profiles.
You will also need a client that can provide access tokens and refresh tokens. If you follow the code flow tutorial, you will have obtained both.
- The client sends the token to be revoked along with credentials to the revoke endpoint
- The server responds an empty body and a status code
For more details about how revocation works see OAuth Revoke.
No additional setup is needed from the previous steps.
After obtaining tokens using any flow, a request to the revoke endpoint can be made. The endpoint path can be configured to be any path, but in the default setup it can be found at
curl -X POST \ https://localhost:8443/oauth/v2/oauth-revoke \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'client_id=www&client_secret=THE_SECRET&token=5137ace0-3805-4338-be5a-56ed4f001cf4'
The response should be a 200. Now the token is revoked and can no longer be used.
The same call can be used for a refresh token. After revoking a refresh token it is no longer possible to use neither of the tokens.