Revoking tokens
The Authorization Server exposes a revoke token endpoint, to enable clients to notify the Authorization Server that it does not longer need an access or refresh token. After revoking the token, it can not longer be used to access resources in the case of an access token, or request access tokens in the case of a refresh token.
CAUTION: By revoking an access token, the Authorization Server will invalidate the access token. However, if for performance reasons Resource Servers decide to cache valid access tokens to optimize communication with the Authorization Server, the token will still be considered valid until the Resource Server contacts the Authorization Server. Consult the documentation or specification of the Resource Server you are accessing to have an understanding of how the Resource Server handles revocation of tokens.
Forming the request
Endpoint | Description | Method |
---|---|---|
https://oauth.vlaanderen.be/authorization/ws/oauth/v2/authorization/revoke | This endpoint is the target of the request to revoke an OAuth2.0 access or refresh token | HTTP-POST |
The form body posted is composed of the following parameters.
Parameter | Values | Description | Required |
---|---|---|---|
token |
The access or refresh token to revoke. | A string representing the access token issued by the OAuth 2.0 Authorization Server. | Yes |
token_type_hint |
A hint regarding the passed token parameter. | A string representing type of the token to revoke. Valid the access token issued by the OAuth 2.0 Authorization Server. | No (defaults to 'access_token') |
Client Authentication
You also need to authenticate the client for this call, you can find information in client authentication
The client authentication methods that are allowed are:
- With a JSON Web Key
- With the client identifier and client secret in the header
- With the client identifier and client secret in the body
If you use a JSON Web Token the audience for this call in the JWT token must be:
-
https://oauth.vlaanderen.be/authorization/ws/oauth/v2/revoke
Examples 1: A confidential client revoking an access token
POST https://oauth.vlaanderen.be/authorization/ws/oauth/v2/authorization/revoke HTTP/1.1
Host: oauth.vlaanderen.be
Content-Type: application/x-www-form-urlencoded
token=j8Y0bYlxfr3z_dBbuZ8etA
&token_type_hint=access_token
&client_id=A_68548
&client_secret=cuIl1QijikgJHGYJFUcnOZ
POST https://oauth.vlaanderen.be/authorization/ws/oauth/v2/authorization/revoke HTTP/1.1
Host: oauth.vlaanderen.be
Content-Type: application/x-www-form-urlencoded
token=j8Y0bYlxfr3z_dBbuZ8etA
&token_type_hint=access_token
&client_assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Imo5c1ZrNU9INVlOQS1uMS00bDdUM013UVJJUSJ9.eyJzdWIiOiI3ODk0NTYiLCJpc3MiOiI3ODk0NTYiLCJleHAiOiIxNTE2MjQwMDIyIiwiaWF0IjoiMTU1MjkwOTYwMSIsImp0aSI6IjYzMjMzY2Q5LTIxYjgtNGZhMS04ODU4LTY2YjcxNWY3YTg2NiIsImF1ZCI6Imh0dHBzOi8vb2F1dGgudmxhYW5kZXJlbi5iZS9hdXRob3JpemF0aW9uL3dzL29hdXRoL3YyL2F1dGhvcml6YXRpb24ifQ.dPWB45Fe-ctNq5Q5bwGSVfFjbVoGMd6mrKzd3V9Xaq136vnAABYstr9v0E-rTz_VjoHJOpS23336-3ooDEl-bahfVJhpsjTW2_8X8eU9Jdyznl5VWpLKfAmHW9ycWupMf3jeCGfbLe5e1Nj1AmMuvufwawpb8-c9XuRoJoK6y232gRa-xfBQxJMcaS8L9qxYVLecPeqQjnjAs0qDOzrRzyIDLC9fBUG0UeC4sd_rEMSgBSj_N5uMbg4hyV6HB6-WuJy0R_MWFRq_fgqa3vRqDd9D0epLc-_QugfeGgdryKer57WLtbYfDXWoXEgsKmqToHyZx2G96ohuIqws3ytxxg
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
POST https://oauth.vlaanderen.be/authorization/ws/oauth/v2/authorization/revoke HTTP/1.1
Host: oauth.vlaanderen.be
Authorization: Basic Nzg5NDU2OjI5OE1TR0hTSlk5MzI3MzI1M0dJREdJRFpOX1ZDWDJIJTNEJTNE
Content-Type: application/x-www-form-urlencoded
token=j8Y0bYlxfr3z_dBbuZ8etA
&token_type_hint=access_token
The body only contains extra newlines for readability. Be sure to url-encode the token and clientsecret, clientassertion and clientassertiontype.
Example 2: A confidential client revoking a refresh token
POST https://oauth.vlaanderen.be/authorization/ws/oauth/v2/authorization/revoke HTTP/1.1
Host: oauth.vlaanderen.be
Content-Type: application/x-www-form-urlencoded
token=RULRbxvTBGhy6kRYoaSg-w
&token_type_hint=refresh_token
&client_id=A_68548
&client_secret=cuIl1QijikgJHGYJFUcnOZ
POST https://oauth.vlaanderen.be/authorization/ws/oauth/v2/authorization/revoke HTTP/1.1
Host: oauth.vlaanderen.be
Content-Type: application/x-www-form-urlencoded
token=RULRbxvTBGhy6kRYoaSg-w
&token_type_hint=refresh_token
&client_assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Imo5c1ZrNU9INVlOQS1uMS00bDdUM013UVJJUSJ9.eyJzdWIiOiI3ODk0NTYiLCJpc3MiOiI3ODk0NTYiLCJleHAiOiIxNTE2MjQwMDIyIiwiaWF0IjoiMTU1MjkwOTYwMSIsImp0aSI6IjYzMjMzY2Q5LTIxYjgtNGZhMS04ODU4LTY2YjcxNWY3YTg2NiIsImF1ZCI6Imh0dHBzOi8vb2F1dGgudmxhYW5kZXJlbi5iZS9hdXRob3JpemF0aW9uL3dzL29hdXRoL3YyL2F1dGhvcml6YXRpb24ifQ.dPWB45Fe-ctNq5Q5bwGSVfFjbVoGMd6mrKzd3V9Xaq136vnAABYstr9v0E-rTz_VjoHJOpS23336-3ooDEl-bahfVJhpsjTW2_8X8eU9Jdyznl5VWpLKfAmHW9ycWupMf3jeCGfbLe5e1Nj1AmMuvufwawpb8-c9XuRoJoK6y232gRa-xfBQxJMcaS8L9qxYVLecPeqQjnjAs0qDOzrRzyIDLC9fBUG0UeC4sd_rEMSgBSj_N5uMbg4hyV6HB6-WuJy0R_MWFRq_fgqa3vRqDd9D0epLc-_QugfeGgdryKer57WLtbYfDXWoXEgsKmqToHyZx2G96ohuIqws3ytxxg
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
POST https://oauth.vlaanderen.be/authorization/ws/oauth/v2/authorization/revoke HTTP/1.1
Host: oauth.vlaanderen.be
Content-Type: application/x-www-form-urlencoded
Authorization: Basic Nzg5NDU2OjI5OE1TR0hTSlk5MzI3MzI1M0dJREdJRFpOX1ZDWDJIJTNEJTNE
token=RULRbxvTBGhy6kRYoaSg-w
&token_type_hint=refresh_token
The body only contains extra newlines for readability. Be sure to url-encode the token clientsecret, clientassertion and client assertion type.
Example 3: A public client revoking an access token
POST https://oauth.vlaanderen.be/authorization/ws/oauth/v2/authorization/revoke HTTP/1.1
Host: oauth.vlaanderen.be
Content-Type: application/x-www-form-urlencoded
token=UqGzSDDQx36mSqapDfnA&client_id=A_68548
For a public client the token type can be omitted as a public client can only use the implicit grant flow, and can only obtain access tokens. Be sure to url-encode the token.
Handling the response
If the token has been revoked successfully or if the client submitted an invalid token, the Authorization Server responds with HTTP status code 200.
Handling an error
When there is an error a JSON result is returned with the error information.
Example error response
HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"error": "unsupported_token_type"
}