Revoke refresh token without access token

Is it possible to revoke a user’s refresh tokens without knowing the access token?

The only documentation I can find around revoking tokens for OIDC clients is here,
https://developer.okta.com/authentication-guide/tokens/revoking-tokens/

This requires knowing the access token.

What about the case where I want to revoke a refresh token, but the access token is not known?

For example, Auth0 provides an API to list token IDs for a user, then revoke tokens by ID;

Ok, I found this:

https://developer.okta.com/docs/api/resources/users/#user-sessions

The clear user sessions API will revoke tokens:

Removes all active identity provider sessions. This forces the user to authenticate on the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user.

And if done via the UI, it will also clear the tokens:

1 Like