4.8 Revocation Endpoint

Revocation endpoint is used for revoking refresh tokens and their corresponding access tokens.

Endpoint URL: https://<Identity Server URL: Port Number>/nidp/oauth/nam/revoke

Request method: POST

NOTE:The authentication is done by using client_id and client_secret in the request body parameters (as mentioned in the preceding curl request), or send client credentials in the basic authorization header (as mentioned in RFC 6749).

4.8.1 Request Parameters

The request should contain the refresh token and client credentials in HTTP request parameters as mentioned in the following table:

Parameter	Required	Description
client_id	Yes	The client application ID that is obtained at the time of client application registration.
client_secret	Optional	The secret that is obtained at the time of client application registration. The client secret is optional for a native application and mandatory for a web application.
token	Yes	refresh_token that is obtained during authorization grant, resource owner credentials, client credentials flow

Parameter

Required

Description

client_id

Yes

The client application ID that is obtained at the time of client application registration.

client_secret

Optional

The secret that is obtained at the time of client application registration.

The client secret is optional for a native application and mandatory for a web application.

token

Yes

refresh_token that is obtained during authorization grant, resource owner credentials, client credentials flow

4.8.2 Response Values

The Identity Server responds with HTTP status code 200 OK if the token has been revoked successfully or if the client submitted an invalid token.
The error code unsupported_token_type is returned by the Identity Server when the given token is not a refresh token.
If the Identity Server responds with HTTP status code 503, the client must assume the token still exists and may retry revoking the refresh token after a reasonable delay.

4.8.3 Revoking a Token Issued to a Device

When Mobile Access SDK is not used for on-boarding and off-boarding devices, the token can be manually associated with a device. This can be done by providing additional parameter device_id while requesting an access token. Such manually associated tokens can be revoked by using the revocation endpoint. Send a request to revoke all tokens that are issued to a device.

Endpoint URL: https://idpbaseurl.com/nidp/oauth/nam/revoke/<device_id>

Request method:POST

Content-Type: application/x-www-form-urlencoded (Optional)

Request Parameters:

Parameter	Required	Description
userstore_name	Yes	Specify the name of the user store.
user_dn	Yes	Specify the user's DN to whom the token is issued.

Response Values

HTTP 200 OK
{
"status": "Successfully revoked token(s) issued to this device."
}

Sample Request and Response

A sample request and response (with the line breaks for better readability):

Request

HTTP/1.1 POST /nidp/oauth/nam/revoke/andriodtest_1401
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/41.0.2228.0 Safari/537.36
Host: www.idp.com:8443
'userstore_name=namsignboxuserstore
& user_dn=cn%3Dharry%2Co%3Dnovell'

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, no-transform
Content-Length: 0
Date: Tue, 03 Mar 2015 18:12:55 GMT
{
"status": "Successfully revoked token(s) issued to this device."
}

Error Response

When an invalid device ID is specified or a device had not been associated with any token, the HTTP 404 NOT FOUND error occurs with the following response:

{
"error": "invalid_request",
"error_description": "Invalid device ID or no tokens to revoke for this device."
}