A client app may revoke access and refresh tokens received from the Authorization Server by sending a revocation request to the revocation endpoint.
In all three available OAuth 2.0 flows, client apps receive access tokens that they use to access resource owner's data. These access tokens have a predefined lifespan of 1800 seconds. Typically, confidential and trusted client apps that no longer use an access token whose lifespan hasn't expired can revoke the token. By revoking the access token, they allow the Authorization Server to clean up any security credentials associated with the authorization.
For example, to implement a logout functionality, a client app may revoke the access token to force the user to authenticate again or, if available, use a refresh token to renew the access token.
In the authorization code grant flow, client apps receive refresh tokens that they use to generate new access tokens. These refresh tokens have a predefined lifespan of 20000 seconds. If a client app no longer uses a refresh token and the lifespan of this refresh token hasn’t expired, it’s best practice to revoke the token. This reduces the threat of an unauthorized party intercepting the token and getting access to resource owners’ data.
For example, if an end user authorized an event planner client app to add selected events to their phone calendar, a client app may no longer need a refresh token when the user finishes the events selection and closes the app. In such case, the client app may instantly revoke the refresh token and reduce the time during which the token is vulnerable to security threats.
POST https://oauth.akamai.com/v1/revoke HTTP/1.1 Authorization: Basic <client-id>,<client-secret> Content-Type: application/x-www-form-urlencoded token=<token>
- An access or refresh token.
HTTP/1.1 200 Content-Length: 0