Table of Contents
When an access token (or refresh token) is invalidated using Authlete/auth/revocation API, the corresponding refresh token (or access token) will be invalidated at the same time.
On receiving a revocation request form a client, an authorization server will call Authlete’s /auth/revocation API with “parameters” parameter that contains content of the revocation request.
The revocation request from the client contains the following parameters as defined in RFC 7009.
| parameter | Required | value |
|---|---|---|
| token | yes | The token that the client wants to get revoked. |
| token_type_hint | no | A hint about the type of the token submitted for revocation. |
Authlete will assume the type of the token using the token_type_hint and look up the token of that type in its token database first. If no tokens of the type found, Authlete will next look up the token of the other type. If Authlete finds the token of either type, it will remove the token and corresponding one i.e. access token / refresh token pair.
In other words, the token_type_hint is not a parameter to specify the type of tokens to be removed. It is to help Authlete locate the token from its records. Authlete removes both the access token and the refresh token.
Details are as listed below.
| token_type_hint | how to locate the token record | invalidation |
|---|---|---|
| (none) | look up the access token records first, and refresh token records next. | both access and refresh tokens |
| access_token | same as above | same as above |
| refresh_token | look up the refresh token records first, and access token records next. | same as above |