/oauth2/token/revoke
Endpoint defined in RFC7009 - Token Revocation, used to revoke both access and refresh tokens.
Revoking a refresh token also revokes any other associated tokens that were issued with the same authorization grant. If a client has multiple access tokens for a single user that were obtained using different authorization grants, the client would need to make multiple calls to the revoke token endpoint to invalidate each token.
The revoke token endpoint supports the following parameters:
token
Specifies the token ID that will be revoked.
Required: Yes.
client_id
Specifies the client ID unique to the application making the request.
Required: Yes.
client_secret
Specifies the password of the private client making the request. Do not use in conjunction with the
cnf_key
parameter.Required: A form of password or credentials is required for confidential clients. However, the use of the
client_secret
parameter depends on the client authentication method used. For more information, see OAuth 2.0 Client Authentication.client_assertion
Specifies the signed JWT that the client uses as a credential when using the JWT bearer client authentication method.
For more information, see OAuth 2.0 Client Authentication.
Required: Yes, when using the JWT bearer client authentication method.
client_assertion_type
Specifies the type of assertion when the client is authenticating to the authorization server using JWT bearer client authentication. Do not use with other client authentication methods.
Set it to
urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
.For more information, see OAuth 2.0 Client Authentication.
Required: Yes, when using the JWT bearer client authentication method.
You must compose the path to the revoke token endpoint addressing the specific realm where the user code was issued. For example, https://openam.example.com:8443/openam/oauth2/realms/root/realms/subrealm1/revoke
.
The following is an example of how to revoke a given token:
$curl --request POST \ --data "token=xS3UjtuXMu77iNzl2XibpeMlw1g" \ --data "client_id=myClient" \ --data "client_secret=forgerock" \ "https://openam.example.com:8443/openam/oauth2/realms/root/token/revoke"
{}