OAuth2 Token revocation - integration guide for developers

Overview

This API is used to get revoke an access token.

Prerequisites

- PhenixID Authentication Services HTTP API configured for OAuth2 token revocation use case

- OAuth/OIDC OP Discovery URL

Token revocation - data to be fetched before api call

The api client must fetch this value:

- access_token, returned from previous authentication (this might be returned through API, OIDC or SAML2)

 How this parameter is fetched may differ depending on the use case.

Token revocation - api call

Request

Method: HTTP POST

Endpoint: <This value is fetched from the OAuth/OIDC discovery URL)
Example: /api/authentication/revoke?tenant=t1

Headers:

Name Value
Mandatory Comment
Content-Type application/x-www-form-urlencoded
Yes
Authorization Basic <b64(client_id:client_secret)> Yes HTTP Basic authentication will be used by default.

Body:

token=<access_token>

Example request

 

PUT /api/authentication/revoke?tenant=t1 HTTP/1.1
Host: integration.phenixid.se
Content-Type: application/json
Authorization: Basic ZG9uYWxkOnRydW1wZQ==
cache-control: no-cache

token=21e0d582-f1b9-4747-95ad-f16ca7ef2a9c

 

 

 

Response

Response

The HTTP Response status code may have one of these values:

- 200 if access_token was properly revoked.

- 403 if authentication failed or any error occured.

 

No response body is returned.