Invoking the Revocation Endpoint for OpenID Connect
The revocation endpoint enables holders of access tokens or refresh tokens to notify the OpenID Connect Provider that an issued token is no longer needed and must be revoked. The revocation endpoint can revoke a token that was obtained through OpenID Connect or OAuth authentication.
For information about OAuth 2.0 token revocation, see https://tools.ietf.org/html/rfc7009.
Before you begin
Before a client application can invoke the revocation endpoint, it must first register as a normal OAuth 2.0 client to the OpenID Connect server.
About this task
The revocation endpoint accepts a request from the client that includes an access or refresh token. If the token is valid in the OpenID Connect Server, it is invalidated. If it is a refresh token, all access tokens that are associated with it are also invalidated.
A Liberty server with OpenID Connect enabled has access to the OpenID Connect revocation endpoint at the following URL:
https://server.example.com:443/oidc/endpoint/provider_name/revoke
This example URL assumes that the SSL port of the OpenID Connect Provider is
443
.
Procedure
- Set up client authentication with the client ID and password for a registered OpenID Connect Client in the HTTP Basic Authorization header of a POST request. Encode the client ID and password by using the application/x-www-form-urlencoded encoding algorithm. The encoded client ID is used as the user name and the encoded password is used as the password.
-
Include the string value for the access token as a
token
parameter in the POST request to the revocation endpoint. - Send the POST request to the revocation endpoint URL.
Example
The following example shows an HTTP request that is sent to the revocation endpoint:
POST /revoke HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
token=45ghiukldjahdnhzdauz&token_type_hint=access_token
The authorization server responds with HTTP status code 200 if the token was revoked successfully or if the client submitted an invalid token.