Token Revocation
POST {{authPath}}/{{envID}}/as/revoke
The POST /{{envID}}/as/revoke endpoint revokes the token specified in the request body. The revocation endpoint applies to access_token and refresh_token tokens, and the tokens to be revoked must be for a custom resource. Tokens issued for the PingOne API resource may not be revoked because the PingOne APIs do not use the introspection endpoint.
For more information about the token revocation request, see section 2.1 of OAuth 2.0 Token Revocation. For more information about custom resources, custom scopes, and how the PingOne OAuth 2 authorization service manages requests for custom scopes, see Custom scopes in the PingOne for Developers Guide.
The POST /{{envID}}/as/revoke endpoint uses the same authentication method as the POST /{{envID}}/as/token endpoint, and uses the value from the application's tokenEndpointAuthMethod to determine the configuration. If the tokenEndpointAuthMethod is set to CLIENT_SECRET_BASIC, the Authorization: Basic <headerValue> represents a Base64-encoded representation of "username:password", in which the username is the client_id and the password is the client_secret.
If the application's tokenEndpointAuthMethod value is CLIENT_SECRET_POST, the request does not need an Authorization header, and the client_id and client_secret property values are submitted in the request body.
If the application's tokenEndpointAuthMethod value is NONE, the request requires the client_id property value in the request body and does not require an Authorization header.
If the application's tokenEndpointAuthMethod value is CLIENT_SECRET_JWT, the token endpoint uses a JWT signed by the application's client secret to authenticate the request. For information about creating the JWT and the claims in the JWT, see Create a client secret JWT.
If the application's tokenEndpointAuthMethod value is PRIVATE_KEY_JWT, the token endpoint uses a JWT signed by an external private key file to authenticate the request. For information about creating the JWT and the claims in the JWT, see Create a private key JWT.
Note: This endpoint does not support individual one-by-one access token revocation. This operation revokes all access tokens for the session and application combination. A token must have an associated session (sid) claim to be revoked. If you revoke a refresh token, it also revokes all associated access tokens to that specific session and application combination.
If the authentication method is accepted, and the token contains the necessary iat and sid claims, the response returns a 200 code with an empty body.
If the token is invalid or if the token does not include the necessary iat and sid claims, an unsupported_token_type error is returned as directed in OAuth 2.0 Token Revocation RFC7009 (section 2.2.1). If the aud claim identifies a platform token, an unsupported_token_type error response is returned.
Note: For more information about PingOne SSO sessions and token revocation, see Manage PingOne sessions in the PingOne for Developers Guide.
Prerequisites
- See OpenID Connect/OAuth 2 and Token for important overview information.
| Property | Type | Required? |
|---|---|---|
token | String | Required |
See the OpenID Connect/OAuth2 data model for full property descriptions.
Request Body
[{"name"=>"token", "value"=>"{{oauthToken}}", "datatype"=>"string"}]