Invoking the Revocation Endpoint for OpenID Connect

The revocation endpoint enables holders of access tokens or refresh tokens to notify the OpenID Connect Provider that an issued token is no longer needed and must be revoked. The revocation endpoint can revoke a token that was obtained through OpenID Connect or OAuth authentication.

For information about OAuth 2.0 token revocation, see https://tools.ietf.org/html/rfc7009.

Before you begin

Before a client application can invoke the revocation endpoint, it must first register as a normal OAuth 2.0 client to the OpenID Connect server.

About this task

The revocation endpoint accepts a request from the client that includes an access or refresh token. If the token is valid in the OpenID Connect Server, it is invalidated. If it is a refresh token, all access tokens that are associated with it are also invalidated.

A Liberty server with OpenID Connect enabled has access to the OpenID Connect revocation endpoint at the following URL:

https://server.example.com:443/oidc/endpoint/provider_name/revoke

This example URL assumes that the SSL port of the OpenID Connect Provider is 443.

Procedure

  1. Set up client authentication with the client ID and password for a registered OpenID Connect Client in the HTTP Basic Authorization header of a POST request. Encode the client ID and password by using the application/x-www-form-urlencoded encoding algorithm. The encoded client ID is used as the user name and the encoded password is used as the password.
  2. Include the string value for the access token as a token parameter in the POST request to the revocation endpoint.
  3. Send the POST request to the revocation endpoint URL.

Example

The following example shows an HTTP request that is sent to the revocation endpoint:


POST /revoke HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

token=45ghiukldjahdnhzdauz&token_type_hint=access_token

The authorization server responds with HTTP status code 200 if the token was revoked successfully or if the client submitted an invalid token.