I have a token that was generated for an OIDC application in a device authorization grant_type flow. I want to revoke the token to test some token refresh logic. When I try to POST to the /revoke endpoint via Postman the response received is:
{
"errorCode": "invalid_client",
"errorSummary": "No client credentials found.",
...
}
From Okta docs I see that it requires client authentication. The app does not have a client secret so I cannot put that into body or a basic auth header. I’ve seen an example in the forum here where just passing token, hint and client_id should work provided that these items are true, which is correct in my case.
- the cid claim inside the access token matches the client_id declared in the body
- the token is revoked on the same authorization server that was used to generate it
- the OIDC application is active inside your Okta org
However that just returns the invalid client error. Here is a redacted sample of what I’m sending
curl --location --request POST 'https://dev-....okta.com/oauth2/default/v1/revoke' \
--header 'Accept: application/json' \
--header 'Authorization: Basic' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token=eyJra...
--data-urlencode 'token_type_hint=access_token' \
--data-urlencode 'client_id=...'