Oauth2 revoke access token from Implicit grant type

2
votes

How can I revoke an access token obtained from an implicit grant ?

The API POST https://localhost:9443/oauth2/revoke requires the authentication header with both client_id/client_secret https://docs.wso2.com/display/IS520/OAuth2+Token+Revocation

But for client logged in using implicit grant, they don't have client_secret and they should be able to revoke the accessToken

Is there another way to revoke access token from implicit in WSO2IS

Regards,

3
wso2wso2is

3 Answers

2
votes

I got it working looking at the source code. You cannot pass an empty client secret in the basic authentication, but you can leave client secret empty if you put only the client_id as a url parameter... Should definitely be in the documentation

2
votes

You can revoke an OAuth2 implicit access token using below cURL.

  • ACCESS_TOKEN_TO_BE_REVOKED: The access token to be revoked

  • CLIENT_ID: Client key

    curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -d "token=ACCESS_TOKEN_TO_BE_REVOKED&token_type_hint=access_token&client_id=CLIENT_ID" http://localhost:8243/revoke

0
votes

As per this, if the OAuth app has only Implicit grant type, you can send the revoke request without client secret.