Initiate revoke by Resource Owner

weithu · March 14, 2022, 7:26pm

Hi,
We have a client A which obtains access and refresh tokens via the Authorization Code Flow. We want to allow the resource owner to have the ability to revoke any tokens that have already been issued.

I found the /revoke endpoint which appears to do what I want: Revoking refresh tokens will automatically invalid corresponding access tokens which is great. However when testing this it appears that I will need to use Client A’s clientId and clientSecret in order to do this. The documentation says

“A client may only revoke its own tokens”

That line seems to suggest that only clientA can initiate /revoke. Is there another method to achieve revocation of clientA’s tokens initiated by the resource owner or even the resource server side?

Thanks,
Wei

warren · March 22, 2022, 5:12pm

I believe it is because the revoke endpoint requires client authentication. If the resource owner has access to the client id and client secret, then it can make the revoke request as well.

Note: The /revoke endpoint requires client authentication. See the Client authentication methods section for more information on which method to choose and how to use the parameters in your request.

system · February 8, 2024, 9:50pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Revoke endpoint OAuth/OIDC	5	3133	February 12, 2024
Revoke an access token for Client Credential Flow Questions	2	3694	June 17, 2021
Revoking a token with revoke api OAuth/OIDC	3	4227	February 9, 2023
Revoke an user access token API	3	1994	February 16, 2024
Revoke refresh token without access token Questions	2	5383	April 29, 2019

Initiate revoke by Resource Owner

Related topics