To revoke a valid access token, stop the Client Application from using that access token, we will use the token revocation endpoint. With the Authorization Server built using Spring Authorization Server, you can use the following POST request to revoke an access token: http://localhost:8080/oauth2/revoke.
For example, now I have a RegisteredClient as follows:
RegisteredClient registeredClient1 = RegisteredClient.withId(UUID.randomUUID().toString())
Get the access token of this client, then call the token introspection request, you will see the following results:
Now, if I call the token revocation request with 3 parameters in the body of the request, the token to be revoked, the client_id and the client_secret of this access token, you will see the following result:
So we have successfully revoked this access token.
Now if you call the token introspection request again for this access token, you will see this access token become an invalid one, as follows:
Is there any listener to record logout time in database?
I have set authentication client method to None , and no secret , but somehow token revocation endpoint still requires authentication. How do i remove it?
Why is there a need for client credentials to revoke a token? Isn’t just the token sufficient?
I’m trying to implement a logout from the UI and algo logout the SSO (Spring Authorization Server). The problem to use the OidcClientInitiatedLogoutSuccessHandler is that it does not have the ‘end_session_endpoint’ metadata, so I tried directly to ‘revoke’ the token.
I tried with your example but always give me this result:
The only difference that I’ve from my Registered Client is that the authentication method is CLIENT_SECRET_BASIC, which must be this value in order to do the login in the UI.
Any idea what I’m doing wrong?