Part 4 - Revoking an OAuth2 Token


You’ve granted a user an Access Token, following part 1 and now you would like to revoke that token, probably in response to a client request (to logout).

Revoking a Token

Be sure that you’ve granted a valid token. If you’ve hooked in oauth-toolkit into your as specified in part 1, you’ll have a URL at /o/revoke_token. By submitting the appropriate request to that URL, you can revoke a user’s Access Token.

Oauthlib is compliant with, so as specified, the revocation request requires:

  • token: REQUIRED, this is the Access Token you want to revoke
  • token_type_hint: OPTIONAL, designating either ‘access_token’ or ‘refresh_token’.

Note that these revocation-specific parameters are in addition to the authentication parameters already specified by your particular client type.

Setup a Request

Depending on the client type you’re using, the token revocation request you may submit to the authentication server may vary. A Public client, for example, will not have access to your Client Secret. A revoke request from a public client would omit that secret, and take the form:

POST /o/revoke_token/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded

Where token is Access Token specified above, and client_id is the Client id obtained in obtained in part 1. If your application type is Confidential , it requires a Client secret, you will have to add it as one of the parameters:

POST /o/revoke_token/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded

The server will respond wih a 200 status code on successful revocation. You can use curl to make a revoke request on your server. If you have access to a local installation of your authorization server, you can test revoking a token with a request like that shown below, for a Confidential client.

curl --data "token=XXXX&client_id=XXXX&client_secret=XXXX" http://localhost:8000/o/revoke_token/