Token Revocation
The section illustrated how to invalidate the access token and refresh token. When users log out of your application, revoke their access token.
Example request:
curl -v -X POST https://{digiRunner_DOMAIN}/oauth/revocation \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'token={access_token} \
-d 'token_type_hint=access_token' \
-d 'client_id={client_id}' \
-d 'client_secret={client_secret}'
Parameters with details:
token
String
Required
The access token or refresh token with the client to be revoked
token_type_hint
String
Required
To revoke an access token, use access_token
as the value; to revoke a refresh token, use refresh_token
as the value
client_id
String
Required
Client ID registered with digiRunner
client_secret
String
Optional
Scenario I. Higher-Security (Client Password Required)
Client Password registered with digiRunner
Scenario II. PKCE + Public Client (Client Password Not Required)
When the Public Client (With PKCE) option is selected in digiRunner's OAuth grant type, the parameter is not required.
Example of Successful Response
Example:
{
"code": "token_revoke_success",
"message": "access token revoke success, jti: 813a1d99-8a72-40a6-bf42-e26df6eadcb0"
}
Parameters with details:
code
String
Custom response code for successful revocation, currently defined as two types:
token_revoke_success
, the successful token revocation for this session.
token_already_revoked
, the token has already been revoked.
message
String
Details for this successful revocation code
Example of Error Response
If the client password is incorrect, a 401 Unauthorized HTTP status code and JSON response will be returned.
Example:
{
"timestamp": "1685332432791",
"status": 401,
"error": "Unauthorized",
"message": "The client account or password is incorrect.clientId: tspldapclient",
"path": "/oauth/revocation"
}
Was this helpful?