OAuth 2.0 Token Revocation (RFC7009) allows clients to revoke tokens that are no longer needed. This allows the Authorization Server to clean up unused security tokens, hence improving the security.

To enable the feature, the endpoint has to be configured under the Authorization Server Settings. The endpoint will be available under <URL of Loginapp>/oauth2/v2/revoke

Authenticated token revocation endpoint

Clients need to authenticate at the Token Revocation Endpoint according to the configured value in order to revoke tokens. For OpenID Connect the authentication method of the revocation endpoint can also be found in the discovery document.

Public client token revocation endpoint

Clients must not authenticate but include the client_id parameter to which the token belongs.

Revocation details

Revoked tokens will be invalidated, hence remain in the database to detect replay attacks. If the token does not belong to the client requesting the revocation, no tokens will be revoked, but the response will be the same (successful).

Token revocation strategy

Related tokens (i.e. "Invalidate All Tokens Of The Grant") can be invalidate for a single revocation request. This strategy can be separately configured for revocations of access and refresh tokens.