Revoke refresh token without access token

cohen · April 29, 2019, 11:20pm

Is it possible to revoke a user’s refresh tokens without knowing the access token?

The only documentation I can find around revoking tokens for OIDC clients is here,
https://developer.okta.com/authentication-guide/tokens/revoking-tokens/

This requires knowing the access token.

What about the case where I want to revoke a refresh token, but the access token is not known?

For example, Auth0 provides an API to list token IDs for a user, then revoke tokens by ID;

cohen · April 29, 2019, 11:30pm

Ok, I found this:

The clear user sessions API will revoke tokens:

Removes all active identity provider sessions. This forces the user to authenticate on the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user.

And if done via the UI, it will also clear the tokens:

system · January 17, 2024, 11:28pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Revoke an user access token API	3	1968	February 16, 2024
Clear User Sessions is not clearing id tokens i.e. user's Okta sessions, only clearing access token and refresh token Questions	2	5522	March 22, 2020
Clear User Session - Oauth tokens can not be revoked OAuth/OIDC api	5	6978	January 12, 2024
Revoke endpoint OAuth/OIDC	5	3059	February 12, 2024
Initiate revoke by Resource Owner Questions	2	2711	March 22, 2022

Revoke refresh token without access token

Related topics