Token revocation

RFC 7009 OAuth 2.0 Token Revocation

Allows clients to notify the authorization server that a previously obtained refresh or access token is no longer needed.

The OAuth 2.0 core specification RFC6749 defines several ways for a client to obtain refresh and access tokens. RFC 7009 supplements the core specification with a mechanism to revoke both types of tokens.

Request and response

The client requests the revocation of a particular token by making an HTTP POST request to the token revocation endpoint URL.
The following is a non-normative example request for a refresh token:

POST /revoke HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

  token=45ghiukldjahdnhzdauz&token_type_hint=refresh_token

An invalid token type hint value is ignored by the authorization server and does not influence the revocation response.

The authorization server responds with HTTP status code 200 if the token has been revoked successfully or if the client submitted an invalid token. Note that invalid tokens do not cause an error response since the client cannot handle such an error in a reasonable way.

API resources

https://keybridgewireless.com/sts/api/revoke

RFC 7009 OAuth 2.0 Token Revocation
To revoke a token the client submits a URL-encoded TokenRevocationRequest configuration.

Headers and URI pattern
AuthorizationstringHEADER

HTTP Basic authorization header encoding the client_id and client_secret values as defined in RFC2617 to authenticate with this authorization server.

Reponse
Responseapplication/json

The authorization server responds with HTTP status code 200 OK if the token has been revoked successfully or if the client submitted an invalid token.
2.1.0-240506_1433 © Key Bridge Wireless All rights reserved. Unauthorized access prohibited