Hi,
I can not find any API for revoking access token in OAuth2 plugin documentation. How can I do that?
Thanks,
Shiva
Hi,
I can not find any API for revoking access token in OAuth2 plugin documentation. How can I do that?
Thanks,
Shiva
Hello,
Please try this request:
curl -X DELETE http://kong:8001/oauth2_tokens/<your-token-uuid>
It should remove the token from the database.
I have created an issue to include those endpoints in the docs, thanks for reporting this and apologies if this has caused you any trouble.
Thank you very much, It worked.
Is it possible to delete multiple tokens in single request?
No, the endpoint only allows 1 token UUID per request.
I don’t get why Kong doesn’t provide a revoke endpoint. It should be its responsibility.
@kikito Your example would work but I would say for debugging purpose it would be better to flag revoked tokens instead.
Kong could use a revoked_at
field in its db for example to store the date when the client revoked his token.
The resources we have as a company aren’t unlimited. Probably we’ll end up doing what you suggest, but right now other developments are more prioritary to us.
If it’s important for you, can I suggest sending us a PR? That would accelerate the process.
There are a lot of standards in OAuth 2.0 space, such as Revocation that is not part of the base standard, but defined in another: https://tools.ietf.org/html/rfc7009. There is almost no upper limit what your Identity Provider could have. Though, I agree Revocation and Introspection endpoints would be nice to have in our plugin, but it could also have support for OpenID Connect, JWT tokens (both JWS/JWE maybe), etc.
We do provide in our EE version of the product a very full featured OpenID Connect Relying Party Plugin that you can use to integrate with some big-player identity solutions (there are also a third party plugin here: https://github.com/nokia/kong-oidc), such as Google, Microsoft, Okta, PingFederate, OneLogin, Auth0, Yahoo!, SalesForce, Paypal, Connect2id, IdentityServer4, OpenAM, Gluu, Keycloak, Dex, to mention a few. But as long as your identity provider supports OpenID Connect standard you can integerate with it.
All that said, I think revocation is high on the list of what should be in OAuth 2.0 Plugin. We are happy to receive a pull-request for it.