OAuth revocation endpoint
We can use a revocation endpoint to ensure that tokens are revoked.
ISAM supports use of an OAuth revocation endpoint. This endpoint enables clients to inform an authorization server that a specified token is no longer used, and must be revoked. The support is compliant with RFC 7009.
The revocation URL is enabled by default and cannot be disabled.
A typical revocation response returns a 200 response, with an empty body. We can modify a mapping rule to add response attributes.
The RFC states the revocation endpoint must be authenticated with client credentials. You can provide these credentials as post parameters client_id and client_secret, or provide them as a Basic Authentication (BA) header. The authentication that uses BA can occur at the point of contact (reverse proxy) or by the revocation endpoint itself (similar to the OAuth token endpoint). The client can also authenticate using an access token that was issued to this client.
The RFC states the revocation endpoint can revoke only tokens that were generated by the client that is requesting the revocation.
- URL
https://<Reverse proxy host/port/junction> /sps/oauth/oauth20/revoke
HTTP Request Example POST /mga/sps/oauth/oauth20/revoke HTTP/1.1 Host: server.oauth.com Content-Type: application/x-www-form-urlencoded client_id=yb98la1&client_secret=4531959525657&token=2YotnFZFEjr1zCsicMWpAA
token_type_hint The revocation endpoint supports use of the token_type_hint. Use of the hint optimizes the lookup time for the token. Use of the hint does not limit the breadth of the search for the token in the token cache. Token types are found even if a token's type is not the same as the hint. For example:
POST /sps/oauth/oauth20/revoke HTTP/1.1 Content-Type: application/x-www-form-urlencoded token=&client_id=aClient&client_secret=aSecret&token_type_hint=access_token
Valid values for token_type_hint are access_token and refresh_token.
Map rule variables
Variable Description only_allow_conf_client_revoke We can use the pre-mapping rule to specify whether non-confidential clients can revoke tokens. By default, only confidential clients can revoke tokens. To enable non-confidential clients to revoke tokens, set this parameter to false.
Default:
var only_allow_conf_client_revoke = true;
Parent topic: Configure API protection