Token revocation policy

Token revocation policy


When an access token (or refresh token) is invalidated using Authlete/auth/revocation API, the corresponding refresh token (or access token) will be invalidated at the same time.

How Authlete handles token revocation requests

On receiving a revocation request form a client, an authorization server will call Authlete’s  /auth/revocation API with “parameters” parameter that contains content of the revocation request.

The revocation request from the client contains the following parameters as defined in RFC 7009.

parameter Required value
token yes The token that the client wants to get revoked.
token_type_hint no  A hint about the type of the token submitted for revocation.

Authlete will assume the type of the token using the token_type_hint and look up the token of that type in its token database first. If no tokens of the type found, Authlete will next look up the token of the other type. If Authlete finds the token of either type, it will remove the token and corresponding one i.e. access token / refresh token pair.

In other words, the token_type_hint is not a parameter to specify the type of tokens to be removed. It is to help Authlete locate the token from its records. Authlete removes both the access token and the refresh token.

Details are as listed below.

token_type_hint how to locate the token record invalidation
(none) look up the access token records first, and refresh token records next. both access and refresh tokens
access_token same as above same as above
refresh_token look up the refresh token records first, and access token records next. same as above