Hi,
I can not find any API for revoking access token in OAuth2 plugin documentation. How can I do that?
Thanks,
Shiva
Hello,
Please try this request:
curl -X DELETE http://kong:8001/oauth2_tokens/<your-token-uuid>
It should remove the token from the database.
I have created an issue to include those endpoints in the docs, thanks for reporting this and apologies if this has caused you any trouble.
Thank you very much, It worked.
1 Like
Is it possible to delete multiple tokens in single request?
No, the endpoint only allows 1 token UUID per request.
I don’t get why Kong doesn’t provide a revoke endpoint. It should be its responsibility.
@kikito Your example would work but I would say for debugging purpose it would be better to flag revoked tokens instead.
Kong could use a revoked_at field in its db for example to store the date when the client revoked his token.
The resources we have as a company aren’t unlimited. Probably we’ll end up doing what you suggest, but right now other developments are more prioritary to us.
If it’s important for you, can I suggest sending us a PR? That would accelerate the process.
There are a lot of standards in OAuth 2.0 space, such as Revocation that is not part of the base standard, but defined in another: https://tools.ietf.org/html/rfc7009. There is almost no upper limit what your Identity Provider could have. Though, I agree Revocation and Introspection endpoints would be nice to have in our plugin, but it could also have support for OpenID Connect, JWT tokens (both JWS/JWE maybe), etc.
We do provide in our EE version of the product a very full featured OpenID Connect Relying Party Plugin that you can use to integrate with some big-player identity solutions (there are also a third party plugin here: https://github.com/nokia/kong-oidc), such as Google, Microsoft, Okta, PingFederate, OneLogin, Auth0, Yahoo!, SalesForce, Paypal, Connect2id, IdentityServer4, OpenAM, Gluu, Keycloak, Dex, to mention a few. But as long as your identity provider supports OpenID Connect standard you can integerate with it.
All that said, I think revocation is high on the list of what should be in OAuth 2.0 Plugin. We are happy to receive a pull-request for it.