Skip to content
Connect2id
Connect2id server

Token revocation

Last month’s 2.0 release of the Connect2id server adds a new OAuth endpoint, described in RFC 7009, which enables a client to revoke (clean up) a token that has been issued to it. This simple endpoint complements the existing rich Connect2id web API for modifying and revoking issued authorisations and access / refresh tokens.

Purpose of the token revocation endpoint

Quoting from the abstract:

[The endpoint] allows clients to notify the authorization server that a previously obtained refresh or access token is no longer needed. This allows the authorization server to clean up security credentials. A revocation request will invalidate the actual token and, if applicable, other tokens based on the same authorisation grant.

Usage

Revocation requests are authenticated (HTTP basic auth) with the credentials issued to the client – the client_id and client_secret.

Let’s assume you have used the demo Connect2id server via the test OpenID Connect client to obtain an access token. How to revoke it then?

The revocation request looks like this:

POST /c2id/token/revoke HTTP/1.1
Host: demo.c2id.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic MDAwMTIzOjd3S0pOWUZhS0tnNEZ4VWRpOF9SNzVHR1lzaVdlenZBYmNkTjF1U3VtRTQ=

token=eyJhbGciOiJSUzI1Ni...&token_type_hint=access_token

The token parameter must include the exact access / refresh token value.

The token_type_hint parameter is optional, and is intended to help the server in resolving the token type. The possible values are access_token or refresh_token. If you omit this parameter the server will use heuristics to determine the token type.

The revocation request is specified in section 2.1 of the token revocation RFC.

The Connect2id server will respond with HTTP status code 200 if the token has been revoked successfully or if the client submitted an invalid token. An error status code is not produced in the latter case since the client has no adequate way to handle such an error; the token may have already been revoked by the user or expired.

HTTP/1.1 200 OK

References