Articles Getting Started How-tos Guides Code Examples Documentation Videos Webinars Courses Documents

Revoking OAuth Tokens

tutorials

5 min

On this page

Revoking OAuth Access and Refresh Tokens

Access tokens and refresh tokens expire at some point in time. Access tokens tend to expire quickly, whereas refresh tokens last longer. Their validity period is set when created. The period for which they are valid depends on factors such as:

How the user authenticated and when
The client application that was used
The scopes that the user delegated

Other contextual information can be considered when setting the duration of validity as well. When a token should be expired before this time, it should be revoked.

Pre-requisites

This tutorial builds on the configuration setup described in the steps First Configuration and Configure an Authenticator under the menu Getting Started. If you have not gone through those steps yet, you can visit the guides by clicking on the links.

You may run this tutorial on a custom setup also, but keep in mind that names and URLs may be different, as well as the capabilities configured in the profiles.

You will also need a client that can provide access tokens and refresh tokens. If you follow the code flow tutorial, you will have obtained both.

Overview

Revoke Endpoint

The client sends the token to be revoked along with credentials to the revoke endpoint
The server responds an empty body and a status code

For more details about how revocation works see OAuth Revoke.

Setup in Curity

No additional setup is needed from the previous steps.

Making Requests with the Client

After obtaining tokens using any flow, a request to the revoke endpoint can be made. The endpoint path can be configured to be any path, but in the default setup it can be found at https://localhost:8443/oauth/v2/oauth-revoke

bash

1234

curl -X POST \
  https://localhost:8443/oauth/v2/oauth-revoke \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'client_id=www&client_secret=THE_SECRET&token=5137ace0-3805-4338-be5a-56ed4f001cf4'

The response should be a 200. Now the token is revoked and can no longer be used.

The same call can be used for a refresh token. After revoking a refresh token it is no longer possible to use neither of the tokens.

Join our Newsletter

Get the latest on identity management, API Security and authentication straight to your inbox.

Start Free Trial

Try the Curity Identity Server for Free. Get up and running in 10 minutes.

Start Free Trial

Was this helpful?

Next steps

Start Today

Ready to modernize IAM? Build security and improve ease of use to stay ahead of the competition.

Start a Free Trial

Schedule a demo

Speak to an Identity Specialist

Explore learning resources

Overview

Architecture

Learn More

SECURITY SOLUTIONS

INDUSTRY

Resource Library

Tutorials & Guides

Learn More

Inserting API Access Security into the NIST Cybersecurity Framework 2.0 Conversation

Meet Curity at apidays New York

Revoking OAuth Tokens

Revoking OAuth Access and Refresh Tokens

Pre-requisites

Overview

Revoke Endpoint

Setup in Curity

Making Requests with the Client

Join our Newsletter

Start Free Trial

Start Today