Revoke token with PKCE (logout)

Hi everybody,

We are building native mobile applications and we use for that purpose PKCE.

So we obtain access_token and refresh_token and we want to implement “logout” logic so we call revoke api https://developer.okta.com/docs/api/resources/oidc/#revoke but we are not able to make successful call

Curl of such call

curl -X POST \
  https://.../oauth2/default/v1/revoke \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'cache-control: no-cache' \
  -d 'token_endpoint_auth_method=none&token_type_hint=access_token&token=...&client_id=...'

We are getting back

{
    "error": "invalid_client",
    "error_description": "Invalid value for 'client_id' parameter."
}

I put there token_endpoint_auth_method because I read https://developer.okta.com/docs/api/resources/oidc/#client-authentication-methods where is statement Specify none when the client is a public client and doesn't have a client secret. Only the client_id is sent in the request body.

Thank you very much for any advice and navigation.
Jan

Hi @Rudovsky

I’ve tested now on my end and I was able to revoke the access token successfully. Here is the cURL request used

  https://dragos.okta.com/oauth2/aus38el88lfcL6PFg2p7/v1/revoke \
  -H 'Accept: application/json' \
  -H 'Host: dragos.okta.com' \
  -H 'content-type: application/x-www-form-urlencoded' \
  -d 'token=eyJraWQiOiJkbUhnMjRzNDdnWXZ6bE5JWTFmMFJxWVdrb2VQQ2R0WmdVdnRxdnNzeTRVIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULno4eWdXUml4eVJlMnBJSmJ1aTFLVVNUaFZqMmNhX252WWdKZWJWb21hZjQiLCJpc3MiOiJodHRwczovL2RyYWdvcy5va3RhLmNvbS9vYXV0aDIvYXVzMzhlbDg4bGZjTDZQRmcycDciLCJhdWQiOiJodHRwczovL2Rldi5va3RhLmFkbWlucGFuZWwuYml6IiwiaWF0IjoxNTYwMjUxMTk4LCJleHAiOjE1NjAyNTQ3OTgsImNpZCI6IjBvYTNwa3gzNWg2ZlJ5RzNLMnA3IiwidWlkIjoiMDB1b3piZ2MwM3d6cW9hWHAycDYiLCJzY3AiOlsib3BlbmlkIl0sInN1YiI6InRlc3QudXNlckBleGFtcGxlLmNvbSIsIm9yZyI6InRlc3QifQ.ql_JtRi3c0sHq3eIbiAa_CjavcHHEmzMxn8_yBtUVEyU8wHrVxSjmigH0KKHXX6LMb7QVvPVrVrSLCwV5gdD8fhpz_OXHC3_gqR0dYzBVH4Oj4T1F6z49c0tbMg95VccrHZuKCakhqwpTi8GM1ntn3GvBK2FXC_ofm79leHTSxmT4MlkbRolIaOPMlrFow5POiRP2ckyf03quCYAdbOhTgP6hVDnqxMGYOV8HSmOCupSFoOHCCePe00tH7k4yBODlLwjoneykpjWkGVur2iUWTTmQbORwh41i8lB11gWkUO0B6BQYV2PzMbw0YhBTUo_GKzsUkaMUzfaPe8FFowg6g&token_type_hint=access_token&client_id=0oa3pkx35h6fRyG3K2p7'

Here are a few things to check in order to narrow down the issue:

  • the cid claim inside the access token matches the client_id declared in the body
  • the token is revoked on the same authorization server that was used to generate it (you can easily check this by comparing the URL that you are accessing against iss claim inside the access token)
  • the OIDC application is active inside your Okta org
1 Like

@dragos
Thank you very much! You have no idea how you helped me!

I’m ashamed but our problem was wrong URL.

Meaning, we got token from different URL than we were trying to revoke it… I’m sorry for wasting your time, but your response got me thinking from different angle.

I owe you THE beer!

Best, Jan