How do a token revoke?

Hi Friends,

I’m trying to understand SSO, we have been able to do the logout from our system, and now we are trying to revoke the token. The users log in into the system using OIDC with a PKCE process, we have many users using movile devices. To do the revoke we are sending a POST to our revoke endpointwith only two parameters:

1. token_type_hint=access_token
2. toker=is the user token

okta’s reply is: “Bad request”, in the documentation I have read another parameter: “Autorization: Basic …”, I undertand in my case the autorization is: Bearer, so how can I do the revoke?

Any help will be very appreciated

As noted in our documentation, client authentication is required in order to revoke a user’s access or refresh tokens. The format for your client authentication (as you are using PKCE auth) will be different than it would be if you had a client secret, doc’d here.

For any endpoint that specifies client authentication is required, including /revoke, PKCE apps will need to include the client_id in the body of the request instead of supplying a clientId: clientSecret authorization header. See example here.

Hi Andreas,

Thanks for you answer, I did this test the only one difference was that I didn’t use the host header, I sent following parameters in order:

token_type_hint=“access_token”
token=my access_token
client_id=“xxxx”

I received the answer: status code=400, Bad Request,

Can you advise me with this messsage?

Thanks in advance

Hi Andreas,

Thanks for your help, I was able to revoke the token.

Thanks again

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.