OAuth 2.0 Token Revocation is defined in RFC 7009

The OAuth 2.0 core specification RFC 6749 defines several ways for a OAuth Client to obtain Refresh Token and Access Token.

OAuth 2.0 Token Revocation specification supplements the core specification with a mechanism to revoke both types of tokens. A token is a string representing an authorization grant issued by the resource Owner to the OAuth Client. A revocation request will invalidate the actual token and, if applicable, other tokens based on the same Authorization Grant and the Authorization Grant itself.

From an End-User's perspective, OAuth 2.0 is often used to log into a certain site or application. This revocation mechanism allows a OAuth Client to invalidate its tokens if the End-User (Resource Owner) logs out, changes Digital Identity, or uninstalls the respective application. Notifying the Authorization Server that the token is no longer needed allows the Authorization Server to clean up data associated with that token (e.g., session data) and the underlying Authorization Grant.

This behavior prevents a situation in which there is still a valid Authorization Grant for a particular OAuth Client of which the end-user is not aware. This way, token revocation prevents abuse of abandoned tokens and facilitates a better end-user experience since invalidated Authorization Grants will no longer turn up in a list of Authorization Grants the authorization server might present to the end-user.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-3) was last changed on 17-Jul-2017 10:43 by jim