Initiate revoke by Resource Owner

We have a client A which obtains access and refresh tokens via the Authorization Code Flow. We want to allow the resource owner to have the ability to revoke any tokens that have already been issued.

I found the /revoke endpoint which appears to do what I want: Revoking refresh tokens will automatically invalid corresponding access tokens which is great. However when testing this it appears that I will need to use Client A’s clientId and clientSecret in order to do this. The documentation says

“A client may only revoke its own tokens”

That line seems to suggest that only clientA can initiate /revoke. Is there another method to achieve revocation of clientA’s tokens initiated by the resource owner or even the resource server side?


I believe it is because the revoke endpoint requires client authentication. If the resource owner has access to the client id and client secret, then it can make the revoke request as well.

Note: The /revoke endpoint requires client authentication. See the Client authentication methods section for more information on which method to choose and how to use the parameters in your request.