![[17.0.0.3 and later]](../ng_v17003plus.gif)
Invoking the Revocation Endpoint for OpenID Connect
For information about OAuth 2.0 token revocation, see https://tools.ietf.org/html/rfc7009.
Before you begin
Before a client application can invoke the revocation endpoint, it must first register as a normal OAuth 2.0 client to the OpenID Connect server.
About this task
The revocation endpoint accepts a request from the client that includes an access or refresh token. If the token is valid in the OpenID Connect Server, it is invalidated. If it is a refresh token, all access tokens that are associated with it are also invalidated.
A Liberty server with OpenID Connect enabled has access to the OpenID Connect token endpoint at the following URL:
https://server.example.com:443/oidc/endpoint/provider_name/revoke
This example URL assumes that the SSL port of the OpenID Connect Provider is 443.
Procedure
- Set up client authentication with the client ID and password for a registered OpenID Connect Client in the HTTP Basic Authorization header of a POST request. Encode the client ID and password by using the application/x-www-form-urlencoded encoding algorithm. The encoded client ID is used as the user name and the encoded password is used as the password.
- Include the string value for the access token as a token parameter in the POST request to the revocation endpoint.
- Send the POST request to the revocation endpoint URL.
Example
The following example shows an HTTP request that is sent to the revocation endpoint:
POST /revoke HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
token=45ghiukldjahdnhzdauz&token_type_hint=access_token
The authorization server responds with HTTP status code 200 if the token was revoked successfully or if the client submitted an invalid token.