OAuth revocation endpoint

You can use a revocation endpoint to ensure that tokens are revoked.

Security Access Manager supports use of an OAuth revocation endpoint. This endpoint enables clients to inform an authorization server that a specified token is no longer used, and must be revoked. The support is compliant with RFC 7009.

The revocation URL is enabled by default and cannot be disabled.

A typical revocation response returns a 200 response, with an empty body. You can modify a mapping rule to add response attributes.

The RFC states that the revocation endpoint must be authenticated with client credentials. You can provide these credentials as post parameters client_id and client_secret, or provide them as a Basic Authentication (BA) header. The authentication that uses BA can occur at the point of contact (reverse proxy) or by the revocation endpoint itself (similar to the OAuth token endpoint). The client can also authenticate by using an access token that was issued to this client.

The RFC states that the revocation endpoint can revoke only tokens that were generated by the client that is requesting the revocation.

URL
https://<Reverse proxy host/port/junction> /sps/oauth/oauth20/revoke
HTTP Request Example
POST /mga/sps/oauth/oauth20/revoke HTTP/1.1						
     Host:  server.oauth.com																	
     Content-Type: application/x-www-form-urlencoded													
     client_id=yb98la1&client_secret=4531959525657&token=2YotnFZFEjr1zCsicMWpAA
token_type_hint
The revocation endpoint supports use of the token_type_hint. Use of the hint optimizes the lookup time for the token. Use of the hint does not limit the breadth of the search for the token in the token cache. Token types are found even if a token's type is not the same as the hint.

For example:

POST /sps/oauth/oauth20/revoke HTTP/1.1
Content-Type: application/x-www-form-urlencoded

token=&client_id=aClient&client_secret=aSecret&token_type_hint=access_token

Valid values for token_type_hint are access_token and refresh_token.

Mapping rule variables

Table 1. Mapping rule variable for OAuth revocation
Variable Description
only_allow_conf_client_revoke You can use the pre-mapping rule to specify whether non-confidential clients can revoke tokens. By default, only confidential clients can revoke tokens.

To enable non-confidential clients to revoke tokens, set this parameter to false.

Default:

var only_allow_conf_client_revoke = true;
Parent topic: Configuring API protection