Revoke refresh token without access token

cohen · April 29, 2019, 11:20pm

Is it possible to revoke a user’s refresh tokens without knowing the access token?

The only documentation I can find around revoking tokens for OIDC clients is here,
https://developer.okta.com/authentication-guide/tokens/revoking-tokens/

This requires knowing the access token.

What about the case where I want to revoke a refresh token, but the access token is not known?

For example, Auth0 provides an API to list token IDs for a user, then revoke tokens by ID;

cohen · April 29, 2019, 11:30pm

Ok, I found this:

The clear user sessions API will revoke tokens:

Removes all active identity provider sessions. This forces the user to authenticate on the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user.

And if done via the UI, it will also clear the tokens:

Post		Replies	Views
Revoke an user access token API	3	2303	February 16, 2024
Revoke endpoint OAuth/OIDC	5	3344	February 12, 2024
Clear User Session - Oauth tokens can not be revoked OAuth/OIDC api	5	7100	January 12, 2024
Can't revoke accessToken OAuth/OIDC ios	2	5507	May 15, 2018
Clear User Sessions is not clearing id tokens i.e. user's Okta sessions, only clearing access token and refresh token Questions	2	5569	March 22, 2020

Revoke refresh token without access token

Related topics