Revoke refresh token without access token

cohen · April 29, 2019, 11:20pm

Is it possible to revoke a user’s refresh tokens without knowing the access token?

The only documentation I can find around revoking tokens for OIDC clients is here,
https://developer.okta.com/authentication-guide/tokens/revoking-tokens/

This requires knowing the access token.

What about the case where I want to revoke a refresh token, but the access token is not known?

For example, Auth0 provides an API to list token IDs for a user, then revoke tokens by ID;

cohen · April 29, 2019, 11:30pm

Ok, I found this:

The clear user sessions API will revoke tokens:

Removes all active identity provider sessions. This forces the user to authenticate on the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user.

And if done via the UI, it will also clear the tokens:

system · January 17, 2024, 11:28pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.