Hi everybody,
We are building native mobile applications and we use for that purpose PKCE.
So we obtain access_token
and refresh_token
and we want to implement “logout” logic so we call revoke api https://developer.okta.com/docs/api/resources/oidc/#revoke but we are not able to make successful call
Curl of such call
curl -X POST \
https://.../oauth2/default/v1/revoke \
-H 'Accept: application/json' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'cache-control: no-cache' \
-d 'token_endpoint_auth_method=none&token_type_hint=access_token&token=...&client_id=...'
We are getting back
{
"error": "invalid_client",
"error_description": "Invalid value for 'client_id' parameter."
}
I put there token_endpoint_auth_method
because I read https://developer.okta.com/docs/api/resources/oidc/#client-authentication-methods where is statement Specify none when the client is a public client and doesn't have a client secret. Only the client_id is sent in the request body.
Thank you very much for any advice and navigation.
Jan
dragos
June 11, 2019, 11:12am
2
Hi @Rudovsky
I’ve tested now on my end and I was able to revoke the access token successfully. Here is the cURL request used
https://dragos.okta.com/oauth2/aus38el88lfcL6PFg2p7/v1/revoke \
-H 'Accept: application/json' \
-H 'Host: dragos.okta.com' \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'token=eyJraWQiOiJkbUhnMjRzNDdnWXZ6bE5JWTFmMFJxWVdrb2VQQ2R0WmdVdnRxdnNzeTRVIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULno4eWdXUml4eVJlMnBJSmJ1aTFLVVNUaFZqMmNhX252WWdKZWJWb21hZjQiLCJpc3MiOiJodHRwczovL2RyYWdvcy5va3RhLmNvbS9vYXV0aDIvYXVzMzhlbDg4bGZjTDZQRmcycDciLCJhdWQiOiJodHRwczovL2Rldi5va3RhLmFkbWlucGFuZWwuYml6IiwiaWF0IjoxNTYwMjUxMTk4LCJleHAiOjE1NjAyNTQ3OTgsImNpZCI6IjBvYTNwa3gzNWg2ZlJ5RzNLMnA3IiwidWlkIjoiMDB1b3piZ2MwM3d6cW9hWHAycDYiLCJzY3AiOlsib3BlbmlkIl0sInN1YiI6InRlc3QudXNlckBleGFtcGxlLmNvbSIsIm9yZyI6InRlc3QifQ.ql_JtRi3c0sHq3eIbiAa_CjavcHHEmzMxn8_yBtUVEyU8wHrVxSjmigH0KKHXX6LMb7QVvPVrVrSLCwV5gdD8fhpz_OXHC3_gqR0dYzBVH4Oj4T1F6z49c0tbMg95VccrHZuKCakhqwpTi8GM1ntn3GvBK2FXC_ofm79leHTSxmT4MlkbRolIaOPMlrFow5POiRP2ckyf03quCYAdbOhTgP6hVDnqxMGYOV8HSmOCupSFoOHCCePe00tH7k4yBODlLwjoneykpjWkGVur2iUWTTmQbORwh41i8lB11gWkUO0B6BQYV2PzMbw0YhBTUo_GKzsUkaMUzfaPe8FFowg6g&token_type_hint=access_token&client_id=0oa3pkx35h6fRyG3K2p7'
Here are a few things to check in order to narrow down the issue:
the cid
claim inside the access token matches the client_id declared in the body
the token is revoked on the same authorization server that was used to generate it (you can easily check this by comparing the URL that you are accessing against iss
claim inside the access token)
the OIDC application is active inside your Okta org
1 Like
@dragos
Thank you very much! You have no idea how you helped me!
I’m ashamed but our problem was wrong URL.
Meaning, we got token from different URL than we were trying to revoke it… I’m sorry for wasting your time, but your response got me thinking from different angle.
I owe you THE beer!
Best, Jan
system
Closed
January 17, 2024, 11:40pm
4
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.