Revocation endpoint is used for revoking refresh tokens and its corresponding access token.
Endpoint URL: https://<Identity Server URL: Port Number>/nidp/oauth/nam/revoke
Request method: POST
NOTE:The authentication is done by using client_id and client_secret in the request body parameters (as mentioned in the preceding curl request), or send client credentials in basic authorization header (as mentioned in RFC 6749).
The request should contain the refresh token and client credentials in HTTP request parameters as mentioned in the following table:
|
Parameter |
Required |
Description |
|---|---|---|
|
client_id |
Yes |
Client application ID that is obtained at the time of client application registration. |
|
client_secret |
Optional |
Client secret that is obtained at the time of client application registration. Client secret is optional for native application, for web application it is mandatory. |
|
token |
Yes |
refresh_token that is obtained during authorization grant, resource owner credentials, client credentials flow |
The Identity Server responds with HTTP status code 200 OK if the token has been revoked successfully or if the client submitted an invalid token.
The error code unsupported_token_type is returned by the Identity Server when the given token is not a refresh token.
If the Identity Server responds with HTTP status code 503, the client must assume the token still exists and may retry revoking the refresh token after a reasonable delay.