Integration Server 10.3 | Built-In Services Reference Guide | OAuth Folder | Summary of Elements in this Folder | pub.oauth:revokeToken
 
pub.oauth:revokeToken
WmPublic. Revokes a token issued by the Integration Server.
Input Parameters
token
String The access token or refresh token to revoke
token_type_hint
String Optional. A hint for the token type. Specify:
*access_token if the provided token is an access token.
*refresh_token if the provided token is a refresh token.
Output Parameters
None.
Usage Notes
The pub.oauth:revokeToken service is the revocation endpoint for an Integration Server authorization server. The URL for the revocation endpoint is:
https://host:port/invoke/pub.oauth/revokeToken
Integration Server provides this functionality to support RFC 7009, OAuth 2.0 Token Revocation.
Use the pub.oauth:revokeToken service to revoke a token on Integration Server only. The service cannot be used to revoke a token on an external authorization server.
Integration Server revokes all of the tokens related to the supplied token. If the supplied token is an access token, Integration Server revokes the associated refresh token as well. If the supplied token is a refresh token, Integration Server revokes the associated access token as well.
When Integration Server revokes a token, Integration Server removes the token from the database and from cache.
If the supplied token does not exist, the pub.oauth:revokeToken service is a no-op. Integration Server does not need to return an error because the token is unusable.
Only administrators who are members of the Administrators ACL and confidential clients can revoke tokens. Administrators can revoke any token. Confidential clients can revoke tokens that have been issued to them only. Public clients cannot revoke tokens.
Supplying token_type_hint may help the Integration Server authorization server look up the token more quickly. If Integration Server does not find the token of the type specified in the provided hint, Integration Server looks for a token of the other type.
If the token_type_hint is incorrect, invalid, or missing, Integration Server still revokes the token
This service must be invoked using HTTPS unless the Require HTTPS setting on the Security > OAuth > Edit OAuth Global Settings page is disabled.
Clients must invoke this service via an HTTP POST request unless the watt.server.oauth.requirePost server configuration parameter is set to false. When this parameter is set to false, clients can invoke this service using HTTP GET.