OAuth2 Token revocation - integration guide for developers
Overview
This API is used to get revoke an access token.
Prerequisites
- PhenixID Authentication Services HTTP API configured for OAuth2 token revocation use case
- OAuth/OIDC OP Discovery URL
Token revocation - data to be fetched before api call
The api client must fetch this value:
- access_token, returned from previous authentication (this might be returned through API, OIDC or SAML2)
How this parameter is fetched may differ depending on the use case.
Token revocation - api call
Request
Method: HTTP POST
Endpoint: <This value is fetched from the OAuth/OIDC discovery URL)
Example: /api/authentication/revoke?tenant=t1
Headers:
| Name | Value |
Mandatory | Comment |
|---|---|---|---|
| Content-Type | application/x-www-form-urlencoded |
Yes | |
| Authorization | Basic <b64(client_id:client_secret)> | Yes | HTTP Basic authentication will be used by default. |
Body:
token=<access_token>
Example request
PUT /api/authentication/revoke?tenant=t1 HTTP/1.1
Host: integration.phenixid.se
Content-Type: application/json
Authorization: Basic ZG9uYWxkOnRydW1wZQ==
cache-control: no-cache
token=21e0d582-f1b9-4747-95ad-f16ca7ef2a9c
Response
Response
The HTTP Response status code may have one of these values:
- 200 if access_token was properly revoked.
- 403 if authentication failed or any error occured.
No response body is returned.