OAuth revocation endpoint

We can use a revocation endpoint to ensure that tokens are revoked.

ISAM supports use of an OAuth revocation endpoint. This endpoint enables clients to inform an authorization server that a specified token is no longer used, and must be revoked. The support is compliant with RFC 7009.

The revocation URL is enabled by default and cannot be disabled.

A typical revocation response returns a 200 response, with an empty body. We can modify a mapping rule to add response attributes.

The RFC states the revocation endpoint must be authenticated with client credentials. You can provide these credentials as post parameters client_id and client_secret, or provide them as a Basic Authentication (BA) header. The authentication that uses BA can occur at the point of contact (reverse proxy) or by the revocation endpoint itself (similar to the OAuth token endpoint). The client can also authenticate using an access token that was issued to this client.

The RFC states the revocation endpoint can revoke only tokens that were generated by the client that is requesting the revocation.

Map rule variables

Variable Description
only_allow_conf_client_revoke We can use the pre-mapping rule to specify whether non-confidential clients can revoke tokens. By default, only confidential clients can revoke tokens.

To enable non-confidential clients to revoke tokens, set this parameter to false.

Default:

    var only_allow_conf_client_revoke = true;


Parent topic: Configure API protection