We have a client A which obtains access and refresh tokens via the Authorization Code Flow. We want to allow the resource owner to have the ability to revoke any tokens that have already been issued.
I found the /revoke endpoint which appears to do what I want: Revoking refresh tokens will automatically invalid corresponding access tokens which is great. However when testing this it appears that I will need to use Client A’s clientId and clientSecret in order to do this. The documentation says
“A client may only revoke its own tokens”
That line seems to suggest that only clientA can initiate /revoke. Is there another method to achieve revocation of clientA’s tokens initiated by the resource owner or even the resource server side?