OAuth 2.0 token revocation endpoint
1. Revoking obtained access and refresh tokens
Clients can notify the Connect2id server that a previously obtained refresh or access token is no longer needed. This is done by making a request to the token revocation endpoint, as specified in RFC 7009. The server will invalidate the specified token and, if applicable, other tokens based on the same authorisation grant.
2. The token revocation endpoint URL
It can be found out from the
revocation_endpoint advertised in the Connect2id
server metadata and has this form:
3. Client authentication
Confidential clients must authenticate and public clients must identify themselves as they would at the token endpoint.
4. Web API overview
Revokes an obtained refresh or access token.
[ Authorization ] Used for HTTP basic authentication of the client.
Content-Type Must be set to
Body with form parameters:
token The token that the client wants to get revoked.
[ token_type_hint ] Optional hint about the type of the submitted token; if omitted the server will use heuristics to determine the token type:
access_token -- the token is an access token
refresh_token -- the token is a refresh token
Example token revocation request hinting its type:
POST /token/revoke HTTP/1.1 Host: c2id.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW token=Ohw8choo.wii3ohCh.Eesh1AeDGong3eir&token_type_hint=refresh_token
Example token revocation request; the server will be let to determine the token type:
POST /token/revoke HTTP/1.1 Host: c2id.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW token=Ohw8choo.wii3ohCh.Eesh1AeDGong3eir
The server will return a
200 status regardless of whether the submitted
token was valid or not (required by the
HTTP/1.1 200 OK
400 Bad Request
Invalid or malformed request.
HTTP/1.1 400 Bad Request
The request was denied due to an invalid or missing client authentication.
HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic
500 Internal Server Error
An internal server error has occurred. Check the Connect2id server logs for details.
HTTP/1.1 500 Internal Server Error