...
Field | Type | Description |
|---|---|---|
token | string | The token to revoke |
token_type_hint | enum | The type of token to revoke (must be |
New API Endpoints
Seven This section outlines new endpoints and an extension of implementation for one existing endpoint are proposedthe behavior of each.
As a note, all new methods that can be accessed on behalf of a user (i.e. with a session token or access token) are organized under /oauth2/audit. All client actions (that require client credentials) are organized under /oauth2/token.
Viewing applications that have OAuth access to a user’s account
...
In practice, only the token name can be updated.
User revocation of a particular
...
token
Endpoint: POST /oauth2/audit/tokens/:token_id/revoke
Request Parameters:
...
Endpoint: POST /oauth2/revoke
Request Body: OAuthTokenRevocationRequest
Response: By RFC 7009 § 2.2, on successful revocation, HTTP 200. No body.
Upon calling this method, the refresh/access token and associated tokens held by this client and associated with the user are revoked. Note: a specific path for this endpoint is not named by OAuth 2.0/OIDC specifications.
...
Retrieval of token metadata
Endpoint (users): GET /oauth2/audit/tokens/:token_id/metadata
Endpoint (clients): GET /oauth2/token/:token_id/metadata
Request Parameter: token_id - the ID of the token to gather metadata about
Response: OAuthRefreshTokenInformation
The client can call this endpoint to get token metadata name. This metadata can be displayed to the user so that they may more easily identify the token in use when auditing/revoking tokens.
...