Skip to main content

Overview

When an access token (or refresh token) is invalidated using Authlete/auth/revocation API, the corresponding refresh token (or access token) will be invalidated at the same time.

How Authlete handles token revocation requests

On receiving a revocation request form a client, an authorization server will call Authlete’s  /auth/revocation API with “parameters” parameter that contains content of the revocation request. The revocation request from the client contains the following parameters as defined in RFC 7009.
parameterRequiredvalue
tokenyesThe token that the client wants to get revoked.
token_type_hintno A hint about the type of the token submitted for revocation.
Authlete will assume the type of the token using the token_type_hint and look up the token of that type in its token database first. If no tokens of the type found, Authlete will next look up the token of the other type. If Authlete finds the token of either type, it will remove the token and corresponding one i.e. access token / refresh token pair. In other words, the token_type_hint is not a parameter to specify the type of tokens to be removed. It is to help Authlete locate the token from its records. Authlete removes both the access token and the refresh token. Details are as listed below.
token_type_hinthow to locate the token recordinvalidation
(none)look up the access token records first, and refresh token records next.both access and refresh tokens
access_tokensame as abovesame as above
refresh_tokenlook up the refresh token records first, and access token records next.same as above