Revocation endpoint is used for revoking refresh tokens and their corresponding access tokens.
Endpoint URL: https://<Identity Server URL: Port Number>/nidp/oauth/nam/revoke
Request method: POST
NOTE:The authentication is done by using client_id and client_secret in the request body parameters (as mentioned in the preceding curl request), or send client credentials in the basic authorization header (as mentioned in RFC 6749).
The request should contain the refresh token and client credentials in HTTP request parameters as mentioned in the following table:
Parameter |
Required |
Description |
---|---|---|
client_id |
Yes |
The client application ID that is obtained at the time of client application registration. |
client_secret |
Optional |
The secret that is obtained at the time of client application registration. The client secret is optional for a native application and mandatory for a web application. |
token |
Yes |
refresh_token that is obtained during authorization grant, resource owner credentials, client credentials flow |
The Identity Server responds with HTTP status code 200 OK if the token has been revoked successfully or if the client submitted an invalid token.
The error code unsupported_token_type is returned by the Identity Server when the given token is not a refresh token.
If the Identity Server responds with HTTP status code 503, the client must assume the token still exists and may retry revoking the refresh token after a reasonable delay.
When Mobile Access SDK is not used for on-boarding and off-boarding devices, the token can be manually associated with a device. This can be done by providing additional parameter device_id while requesting an access token. Such manually associated tokens can be revoked by using the revocation endpoint. Send a request to revoke all tokens that are issued to a device.
Endpoint URL: https://idpbaseurl.com/nidp/oauth/nam/revoke/<device_id>
Request method:POST
Content-Type: application/x-www-form-urlencoded (Optional)
Request Parameters:
Parameter |
Required |
Description |
---|---|---|
userstore_name |
Yes |
Specify the name of the user store. |
user_dn |
Yes |
Specify the user's DN to whom the token is issued. |
Response Values
HTTP 200 OK { "status": "Successfully revoked token(s) issued to this device." }
A sample request and response (with the line breaks for better readability):
Request
HTTP/1.1 POST /nidp/oauth/nam/revoke/andriodtest_1401 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36 Host: www.idp.com:8443 'userstore_name=namsignboxuserstore & user_dn=cn%3Dharry%2Co%3Dnovell'
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store, no-transform Content-Length: 0 Date: Tue, 03 Mar 2015 18:12:55 GMT { "status": "Successfully revoked token(s) issued to this device." }
Error Response
When an invalid device ID is specified or a device had not been associated with any token, the HTTP 404 NOT FOUND error occurs with the following response:
{ "error": "invalid_request", "error_description": "Invalid device ID or no tokens to revoke for this device." }