Token Revocation

The section illustrated how to invalidate the access token and refresh token. When users log out of your application, revoke their access token.

Example request:

curl -v -X POST https://{digiRunner_DOMAIN}/oauth/revocation \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'token={access_token} \
-d 'token_type_hint=access_token' \
-d 'client_id={client_id}' \
-d 'client_secret={client_secret}'

Parameters with details:

Parameter
Type
Requirement
Description

token

String

Required

The access token or refresh token with the client to be revoked

token_type_hint

String

Required

To revoke an access token, use access_token as the value; to revoke a refresh token, use refresh_token as the value

client_id

String

Required

Client ID registered with digiRunner

client_secret

String

Optional

Scenario I. Higher-Security (Client Password Required)

Client Password registered with digiRunner

Scenario II. PKCE + Public Client (Client Password Not Required)

When the Public Client (With PKCE) option is selected in digiRunner's OAuth grant type, the parameter is not required.

Example of Successful Response

Example:

{
"code": "token_revoke_success",
"message": "access token revoke success, jti: 813a1d99-8a72-40a6-bf42-e26df6eadcb0"
}

Parameters with details:

Parameter
Type
Description

code

String

Custom response code for successful revocation, currently defined as two types:

token_revoke_success, the successful token revocation for this session.

token_already_revoked, the token has already been revoked.

message

String

Details for this successful revocation code

Example of Error Response

If the client password is incorrect, a 401 Unauthorized HTTP status code and JSON response will be returned.

Example:

{
"timestamp": "1685332432791",
"status": 401,
"error": "Unauthorized",
"message": "The client account or password is incorrect.clientId: tspldapclient",
"path": "/oauth/revocation"
}

Was this helpful?