Token Revocation Endpoint
1. Revoking Obtained Access And Refresh Tokens
Clients can notify the cidaas server that a previously obtained refresh or access token is no longer needed. This is done by making a request to the token revocation endpoint, as specified in RFC 7009. The server will invalidate the specified token and, if applicable, other tokens based on the same authorization grant.
2. The Token Revocation Endpoint URL
The token revocation endpoint URL can be obtained from the server discovery endpoint:
3. Client Authentication
Unless they are public, clients must authenticate to the server with their registered credentials, such as client secret, in order to make a token revocation request.
Client secret Basic is the default authentication method, unless the client has been registered for another method.
Authorization: Basic eyJhbGciOiJSUzI1NiIsImtpZCI6ImVm
4. Web API Overview
| Resources |
|---|
|
| Representations | Errors |
|---|---|
|
4. Resources
4.1 /token-srv/revoke
4.1.1 POST
Revokes an obtained refresh or access token.
Header Parameters:
- [ Authorization ] Used for HTTP basic authentication of the client.
-
Content-Type Must be set to
application/x-www-form-urlencoded.
Body with form parameters:
- token The token that the client wants to get revoked.
-
[ token_type_hint ] Optional hint about the type of the submitted token:
- access_token — the token is an access token
- id_token — the token is an id token
- refresh_token — the token is a refresh token
Success:
Code: 200
Errors:
- 400 Bad Request
- 401 Unauthorised
- 500 Internal Server Error
Example: token revocation request hinting its type:
POST /token-srv/revoke HTTP/1.1
Host:
Content-Type: application/x-www-form-urlencoded
Authorization: Basic eyJhbGciOiJSUzI1NiIsImtpZCI6Im
{
"token":eyJhbGciOiJSUzI1NiIsImtpZCI6ImVmYmRmNmQ,
"token_type_hint": "access_token"
}
Example: token revocation request; the server will be let to determine the token type:
POST /token-srv/revoke HTTP/1.1
Host:
Content-Type: application/x-www-form-urlencoded
Authorization: Basic eyJhbGciOiJSUzI1NiIsImtpZCI6Im
{
"token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImVmYmRmNmQ"
}
The server will return a 200 status regardless of whether the submitted token was valid or not (required by the specification):
HTTP/1.1 200 OK
5. Errors
400 Bad Request
Invalid or malformed request.
Example:
HTTP/1.1 400 Bad Request
401 Unauthorized
The request was denied due to an invalid or missing client authentication.
Example:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Beare
500 Internal Server Error
An internal server error has occurred. Check the cidaas server logs for details.
Example:
HTTP/1.1 500 Internal Server Error