OAuth 2.0 token revocation endpoint

1. Revoking obtained access and refresh tokens

A client can notify the Connect2id server that a previously obtained refresh or access token is no longer needed. This is done by a call to the token revocation endpoint, as specified in RFC 7009. The server will invalidate the specified token, plus all other access and refresh tokens issued to the client for the same end-user. If a matching persisted authorisation record exists, it will be deleted also.

2. The token revocation endpoint URL

It can be found out from the revocation_endpoint advertised in the Connect2id server metadata and has this form:

https://[base-server-url]/token/revoke

3. Client authentication

Confidential clients must authenticate and public clients must identify themselves as they would at the token endpoint.

4. Web API overview

Resources
Representations Errors

4. Resources

4.1 /token/revoke

4.1.1 POST

Revokes an obtained refresh or access token, plus all other tokens based on the same authorisation grant. If a matching persisted authorisation record exists, it will be deleted also.

Header parameters:

  • [ Authorization ] Used for HTTP basic authentication of the client.

  • Content-Type Must be set to application/x-www-form-urlencoded.

  • [ Issuer ] The issuer URL when issuer aliases are configured, or the issuer URL for a tenant (in the multi-tenant Connect2id server edition). The tenant can be alternatively specified by the Tenant-ID header.

  • [ Tenant-ID ] The tenant ID (in the multi-tenant Connect2id server edition). The tenant can be alternatively specified by the Issuer header.

Body with form parameters:

  • token The token.

  • [ token_type_hint ] Optional hint about the type of the submitted token; if omitted the server will use heuristics to determine the token type:

    • access_token -- the token is an access token

    • refresh_token -- the token is a refresh token

Success:

  • Code: 200

Errors:

Example token revocation request hinting its type:

POST /token/revoke HTTP/1.1
Host: c2id.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

token=Ohw8choo.wii3ohCh.Eesh1AeDGong3eir
&token_type_hint=refresh_token

Example token revocation request; the server will be let to determine the token type:

POST /token/revoke HTTP/1.1
Host: c2id.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

token=Ohw8choo.wii3ohCh.Eesh1AeDGong3eir

The server will return a 200 status regardless of whether the submitted token was valid or not (required by the specification):

HTTP/1.1 200 OK

5. Errors

400 Bad Request

Invalid or malformed request.

Example:

HTTP/1.1 400 Bad Request

401 Unauthorized

The request was denied due to an invalid or missing client authentication.

Example:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic

500 Internal Server Error

An internal server error has occurred. Check the Connect2id server logs for details.

Example:

HTTP/1.1 500 Internal Server Error