Stack Overflow
Stack Overflow

Questions tagged [revoke-token]

Use with questions about token (either access or refresh) revocation, a process of notifying the authorization server issuing a token that it should no longer be used.

Usage guidance

Use for questions on the security procedure of revoking tokens.

Always use with the main tag:

About

Token revocation is a procedure defined by RFC 7009 for revoking access or refresh tokens obtained via the OAuth 2.0 authorization mechanism. Tokens are revoked via a POST request to a special secure endpoint URL. According to the standard, the procedure is as follows:

  1. The client sends an application/x-www-form-urlencoded payload in an authenticated request to the endpoint with fields:
Key Meaning Required? Allowed values
token the token to be revoked yes -
token_type_hint type of the token to be revoked no access_token, refresh_token

  1. The server validates request credentials and that the token was ever issued.

  2. If both checks in step 2 pass, the server invalidates the token, else the request is refused. In both cases, an HTTP 200 response is sent.

    In the case of an unsupported token type, the server sends an HTTP 400 response structured as defined in RFC 6749. A revocation-specific error code unsupported_token_type is included in the response.

    In case of server error, an HTTP 503 response is sent, and the client is free to retry the request immediately or after a specified amount of time if an optional Retry-After header is present.

23 questions
0
votes
1 answer

Can't revoke Google calendar token

We are using the Google Calendar API. When attempting to revoke the access token (we've also tried the refresh token just in case) for the account, we get the following 400 response: b'{\n "error": "invalid_token",\n "error_description": "Token…
Vincent Aliquo
  • 3
  • 2
0
votes
1 answer

WSO2 Identity Server 5.7.0 Revoke Method don't work

WSO2 Identity Server 5.7.0 Revoke Method doesn't work resulting in Error Code : 401 -> UnAuthorize. this link says how to use the revoke method, and I want use this for c# code: WebRequest request2 =…
فاطمه شریفی
  • 61
  • 5
0
votes
1 answer

Is it (now) possible to revoke Gitlab access tokens through the API?

Two years ago, someone asked if it was possible to programmatically revoke access tokens through the Gitlab API. The answer then was no. I have not located recent information confirming or rejecting that this is still true. I was hoping to use…
d-cubed
  • 1,034
  • 5
  • 30
  • 58
0
votes
0 answers

FB Logout Flow: how to revoke user permissions?

I was having problems with my FB logout flow, and I think I have it. I ended up having to add an HTTP DELETE request to https://graph.facebook.com/v9.0/[user-ID]/permissions?access_token=[access_token] In order to revoke the user's permissions. The…
The Chau
  • 26
  • 4
0
votes
1 answer

How to get success/fail callback for `revoke` request with Google OAuth2 REST API?

Since Google's OAuth 2.0 endpoint for revoking tokens does not support CORS, and the request should be made by POST they suggest using a form and submit it to the endpoint rather than use the Ajax method to post the request. OAuth 2.0 for Client Web…
pery mimon
  • 7,713
  • 6
  • 52
  • 57
0
votes
1 answer

How to revoke all jwt tokens for a specific user?

I know an access token is self-contained and therefore can't be revoked. To my understanding, this is why the expiration time of an access token often is low. This enables one to revoke the refresh token, and thereby only allow users to be signed…
agf2413
  • 1
0
votes
1 answer

how to revoke on logout in php and able to get login page with PingFedarate?

I am Using OAuth2 of PingFedarate I am able to successfully log in. Now is the question of how to call the API to log out and what is the parameter for that? Below is the example code I am using for revoke using curl request. When I run the revoke…
Bramhanand Patekar
  • 9
  • 3
0
votes
1 answer

HTTP Request to revoke the WSO2 Oauth2 token

I want to revoke a token provided to the user through an OAuth2 login. I want to do an HTTP POST request from a JavaScript app. The WSO2 documentation provides a Curl example. Tried: Tried with curl by providing the syntax. It works perfectly…
Viddhiyartha
  • 91
  • 1
  • 6
1
2