The Revoke Endpoint
The /token/revoke
endpoint is a back channel endpoint that revokes an existing token.
info
- Implementing this endpoint is optional
- This endpoint requires
TokenRepository#getByAccessToken
to be defined if usingtoken_type_hint=access_token
app.post("/token/revoke", async (req: Express.Request, res: Express.Response) => {
try {
const oauthResponse = await authorizationServer.revoke(req);
return handleExpressResponse(res, oauthResponse);
} catch (e) {
handleExpressError(e, res);
return;
}
});
Configure
Client credentials authentication is enabled by default. To disable, set authenticateRevoke
to false
.
const authoriztionServer = new AuthorizationServer(
...,
{
authenticateRevoke: false,
}
);
Request
A complete token revocation request will include the following parameters:
- token (required): The token to be revoked
- token_type_hint (optional): A hint about the type of the token submitted for revocation. Valid values are:
access_token
,refresh_token
,auth_code
The request must be authenticated using client_credentials.
View sample introspect request
You can authenticate by passing the client_id
and client_secret
as a query string, or through basic auth.
- Query String
- Basic Auth
- authenticateRevoke = false
POST /token/revoke HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
token=xxxxxxxxxx
&token_type_hint=refresh_token
&client_id=xxxxxxxxxx
&client_secret=xxxxxxxxxx
POST /token/revoke HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic MTpzdXBlci1zZWNyZXQtc2VjcmV0
token=xxxxxxxxxx
&token_type_hint=refresh_token
new AuthorizationServer(..., {
authenticateRevoke: false,
})
POST /token/revoke HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
token=xxxxxxxxxx
&token_type_hint=refresh_token
Response
The authorization server will respond with:
- An HTTP 200 (OK) status code if the token was successfully revoked or if the client submitted an invalid token
- An HTTP 400 (Bad Request) status code if the request is invalid or malformed
- An HTTP 401 (Unauthorized) status code if the client is not authorized to revoke the token
The response body will be empty for successful revocations. For error responses, the server may include additional error information as specified in the OAuth 2.0 specification
Supports the following RFC'S