Authorization API documentation

Revoking tokens

The Authorization Server exposes a revoke token endpoint, to enable clients to notify the Authorization Server that it does not longer need an access or refresh token. After revoking the token, it can not longer be used to access resources in the case of an access token, or request access tokens in the case of a refresh token.

CAUTION: By revoking an access token, the Authorization Server will invalidate the access token. However, if for performance reasons Resource Servers decide to cache valid access tokens to optimize communication with the Authorization Server, the token will still be considered valid until the Resource Server contacts the Authorization Server. Consult the documentation or specification of the Resource Server you are accessing to have an understanding of how the Resource Server handles revocation of tokens.

Forming the request

Endpoint Description Method
https://beta.oauth.vlaanderen.be/authorization/ws/oauth/v2/authorization/revoke This endpoint is the target of the request to revoke an OAuth2.0 access or refresh token HTTP-POST

The form body posted is composed of the following parameters.

Parameter Values Description Required
token The access or refresh token to revoke. A string representing the access token issued by the OAuth 2.0 Authorization Server. Yes
token_type_hint A hint regarding the passed token parameter. A string representing type of the token to revoke. Valid the access token issued by the OAuth 2.0 Authorization Server. No (defaults to 'access_token')

Client Authentication

You also need to authenticate the client for this call, you can find information in client authentication

The client authentication methods that are allowed are:

If you use a JSON Web Token the audience for this call in the JWT token must be:

  • https://beta.oauth.vlaanderen.be/authorization/ws/oauth/v2/revoke

Examples 1: A confidential client revoking an access token


POST https://beta.oauth.vlaanderen.be/authorization/ws/oauth/v2/authorization/revoke HTTP/1.1
Host: beta.oauth.vlaanderen.be
Content-Type: application/x-www-form-urlencoded
        
token=j8Y0bYlxfr3z_dBbuZ8etA
&token_type_hint=access_token
&client_id=A_68548
&client_secret=cuIl1QijikgJHGYJFUcnOZ


POST https://beta.oauth.vlaanderen.be/authorization/ws/oauth/v2/authorization/revoke HTTP/1.1
Host: beta.oauth.vlaanderen.be
Content-Type: application/x-www-form-urlencoded
        
token=j8Y0bYlxfr3z_dBbuZ8etA
&token_type_hint=access_token
&client_assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Imo5c1ZrNU9INVlOQS1uMS00bDdUM013UVJJUSJ9.eyJzdWIiOiI3ODk0NTYiLCJpc3MiOiI3ODk0NTYiLCJleHAiOiIxNTE2MjQwMDIyIiwiaWF0IjoiMTU1MjkwOTYwMSIsImp0aSI6IjYzMjMzY2Q5LTIxYjgtNGZhMS04ODU4LTY2YjcxNWY3YTg2NiIsImF1ZCI6Imh0dHBzOi8vb2F1dGgudmxhYW5kZXJlbi5iZS9hdXRob3JpemF0aW9uL3dzL29hdXRoL3YyL2F1dGhvcml6YXRpb24ifQ.dPWB45Fe-ctNq5Q5bwGSVfFjbVoGMd6mrKzd3V9Xaq136vnAABYstr9v0E-rTz_VjoHJOpS23336-3ooDEl-bahfVJhpsjTW2_8X8eU9Jdyznl5VWpLKfAmHW9ycWupMf3jeCGfbLe5e1Nj1AmMuvufwawpb8-c9XuRoJoK6y232gRa-xfBQxJMcaS8L9qxYVLecPeqQjnjAs0qDOzrRzyIDLC9fBUG0UeC4sd_rEMSgBSj_N5uMbg4hyV6HB6-WuJy0R_MWFRq_fgqa3vRqDd9D0epLc-_QugfeGgdryKer57WLtbYfDXWoXEgsKmqToHyZx2G96ohuIqws3ytxxg
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer


POST https://beta.oauth.vlaanderen.be/authorization/ws/oauth/v2/authorization/revoke HTTP/1.1
Host: beta.oauth.vlaanderen.be
Authorization: Basic Nzg5NDU2OjI5OE1TR0hTSlk5MzI3MzI1M0dJREdJRFpOX1ZDWDJIJTNEJTNE
Content-Type: application/x-www-form-urlencoded
        
token=j8Y0bYlxfr3z_dBbuZ8etA
&token_type_hint=access_token


The body only contains extra newlines for readability. Be sure to url-encode the token and clientsecret, clientassertion and clientassertiontype.

Example 2: A confidential client revoking a refresh token


POST https://beta.oauth.vlaanderen.be/authorization/ws/oauth/v2/authorization/revoke HTTP/1.1
Host: beta.oauth.vlaanderen.be
Content-Type: application/x-www-form-urlencoded
    
token=RULRbxvTBGhy6kRYoaSg-w
&token_type_hint=refresh_token
&client_id=A_68548
&client_secret=cuIl1QijikgJHGYJFUcnOZ


POST https://beta.oauth.vlaanderen.be/authorization/ws/oauth/v2/authorization/revoke HTTP/1.1
Host: beta.oauth.vlaanderen.be
Content-Type: application/x-www-form-urlencoded
    
token=RULRbxvTBGhy6kRYoaSg-w
&token_type_hint=refresh_token
&client_assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Imo5c1ZrNU9INVlOQS1uMS00bDdUM013UVJJUSJ9.eyJzdWIiOiI3ODk0NTYiLCJpc3MiOiI3ODk0NTYiLCJleHAiOiIxNTE2MjQwMDIyIiwiaWF0IjoiMTU1MjkwOTYwMSIsImp0aSI6IjYzMjMzY2Q5LTIxYjgtNGZhMS04ODU4LTY2YjcxNWY3YTg2NiIsImF1ZCI6Imh0dHBzOi8vb2F1dGgudmxhYW5kZXJlbi5iZS9hdXRob3JpemF0aW9uL3dzL29hdXRoL3YyL2F1dGhvcml6YXRpb24ifQ.dPWB45Fe-ctNq5Q5bwGSVfFjbVoGMd6mrKzd3V9Xaq136vnAABYstr9v0E-rTz_VjoHJOpS23336-3ooDEl-bahfVJhpsjTW2_8X8eU9Jdyznl5VWpLKfAmHW9ycWupMf3jeCGfbLe5e1Nj1AmMuvufwawpb8-c9XuRoJoK6y232gRa-xfBQxJMcaS8L9qxYVLecPeqQjnjAs0qDOzrRzyIDLC9fBUG0UeC4sd_rEMSgBSj_N5uMbg4hyV6HB6-WuJy0R_MWFRq_fgqa3vRqDd9D0epLc-_QugfeGgdryKer57WLtbYfDXWoXEgsKmqToHyZx2G96ohuIqws3ytxxg
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer


POST https://beta.oauth.vlaanderen.be/authorization/ws/oauth/v2/authorization/revoke HTTP/1.1
Host: beta.oauth.vlaanderen.be
Content-Type: application/x-www-form-urlencoded
Authorization: Basic Nzg5NDU2OjI5OE1TR0hTSlk5MzI3MzI1M0dJREdJRFpOX1ZDWDJIJTNEJTNE
    
token=RULRbxvTBGhy6kRYoaSg-w
&token_type_hint=refresh_token

The body only contains extra newlines for readability. Be sure to url-encode the token clientsecret, clientassertion and client assertion type.

Example 3: A public client revoking an access token


POST https://beta.oauth.vlaanderen.be/authorization/ws/oauth/v2/authorization/revoke HTTP/1.1
Host: beta.oauth.vlaanderen.be
Content-Type: application/x-www-form-urlencoded
    
token=UqGzSDDQx36mSqapDfnA&client_id=A_68548

For a public client the token type can be omitted as a public client can only use the implicit grant flow, and can only obtain access tokens. Be sure to url-encode the token.

Handling the response

If the token has been revoked successfully or if the client submitted an invalid token, the Authorization Server responds with HTTP status code 200.

Handling an error

When there is an error a JSON result is returned with the error information.

Example error response


HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

{
    "error": "unsupported_token_type"
}