|
| 1 | +Part 4 - Revoking an OAuth2 Token |
| 2 | +==================================== |
| 3 | + |
| 4 | +Scenario |
| 5 | +-------- |
| 6 | +You've granted a user an :term:`Access Token`, following :doc:`part 1 <tutorial_01>` and now you would like to revoke that token, probably in response to a client request (to logout). |
| 7 | + |
| 8 | +Revoking a Token |
| 9 | +-------------- |
| 10 | +Be sure that you've granted a valid token. If you've hooked in `oauth-toolkit` into your `urls.py` as specified in :doc:`part 1 <tutorial_01>`, you'll have a URL at `/o/revoke_token`. By submitting the appropriate request to that URL, you can revoke a user's :term:`Access Token`. |
| 11 | + |
| 12 | +`Oauthlib <https://github.com/idan/oauthlib>`_ is compliant with https://tools.ietf.org/html/rfc7009, so as specified, the revocation request requires: |
| 13 | + |
| 14 | +- token: REQUIRED, this is the :term:`Access Token` you want to revoke |
| 15 | +- token_type_hint: OPTIONAL, designating either 'access_token' or 'refresh_token'. |
| 16 | + |
| 17 | +Note that these revocation-specific parameters are in addition to the authentication parameters already specified by your particular client type. |
| 18 | + |
| 19 | +Setup a Request |
| 20 | +---------------- |
| 21 | +Depending on the client type you're using, the token revocation request you may submit to the authentication server mayy vary. A `Public` client, for example, will not have access to your `Client Secret`. A revoke request from a public client would omit that secret, and take the form: |
| 22 | + |
| 23 | +:: |
| 24 | + |
| 25 | + POST /o/revoke_token/ HTTP/1.1 |
| 26 | + Content-Type: application/x-www-form-urlencoded |
| 27 | + token=XXXX&client_id=XXXX |
| 28 | + |
| 29 | +Where token is :term:`Access Token` specified above, and client_id is the `Client id` obtained in |
| 30 | +obtained in :doc:`part 1 <tutorial_01>`. If your application type is `Confidential` , it requires a `Client secret`, you will have to add it as one of the parameters: |
| 31 | + |
| 32 | +:: |
| 33 | + |
| 34 | + POST /o/revoke_token/ HTTP/1.1 |
| 35 | + Content-Type: application/x-www-form-urlencoded |
| 36 | + token=XXXX&client_id=XXXX&client_secret=XXXX |
| 37 | + |
| 38 | + |
| 39 | +The server will respond wih a `200` status code on successful revocation. You can use `curl` to make a revoke request on your server. If you have access to a local installation of your authorization server, you can test revoking a token with a request like that shown below, for a `Confidential` client. |
| 40 | + |
| 41 | +:: |
| 42 | + |
| 43 | + curl --data "token=XXXX&client_id=XXXX&client_secret=XXXX" http://localhost:8000/o/revoke_token/ |
| 44 | + |
| 45 | + |
0 commit comments