In Oauth or Openid Connect, let's say an attacker takes an access or refresh token and the browser or app's caches are cleaned. Can a user revoke an access or refresh token issued by an Identity Provider if their string is not explicitly known?
2 Answers
2
votes
If your Token-Provider is at least an OAuth 2.0-Provider, it has to to implement the OAuth 2.0 Token Revocation.
The URL should be delivered by on OpenID Connect-Provider as "revocation_endpoint" in the /.well-known/openid-configuration.
0
votes
It really depends on the implementation at the Identity Provider but typically you should be able to revoke the at least the refresh token. The refresh token is most often stored in persistent storage at the IDP and a user may login to the IDP to manage client authorizations and refresh tokens. As an example, Google allows users to manage those at: https://security.google.com/settings/security/permissions
