Revoke OAuth2.0 access token/refresh token

This topic has 6 replies, 4 voices, and was last updated 6 years, 5 months ago by suhaibmustafa.

  • Author
  • #5764

    Hi All,

    I was trying to implement OAuth2.0 APIs using OpenAM and found some issues while working on revoke token.
    As per my understanding revoke token API should
    1. Should revoke the given access token, if access token is passed
    2. Should revoke the refresh token as well as all the access token associated with that refresh token, if refresh token is passed.

    But I found that OpenAM is behaving in this way:
    1. If access token is passed then, it is revoking the access token as well as the refresh token associated with that access token.
    2. If refresh token is passed then, it is revoking only the refresh token. If I get multiple access tokens using this refresh token, all the access tokens are still valid.

    To revoke a token I was using this API: /frrest/oauth2/token/<token-id>?_action=revoke

    If my understanding of the API is correct then how I can achieve the same with OpenAM.

    Any help on this is highly appreciated.


    It may very well be a bug based on your tests. But, what is the use case you are trying to achieve with these revocations? I guess, I have never needed to revoke access or refresh tokens unless an app that was granted to went away. Plus, you could set shorter expiration times on access token if needed.
    Have you looked at OpenID Connect for your use cases, as its more suited to such end user session management use cases?
    My 2 cents.


    Hi Sripathy, I am looking at a use case where user has granted access to an app in multiple devices that he is using(like mobile, tablet etc) and now he wants to revoke access from one of the device and is trying to uninstall the app. So in this case only the access/refresh token from that device should be revoked and other tokens which are being used by other devices should still valid.


    Based on what you mentioned each device would be a client with a separate client creds and refresh/access tokens. Upon that device being removed from the relationship, wouldn’t it be easier to do the client delete?
    curl \
    –request DELETE \
    –header “iplanetDirectoryPro: AQIC5wM…3MTYxOA..*” \

    I guess that would be the next best thing to the challenge you are facing with deleting a refresh token. Although, just deleting the refresh token should still be enough as even if the access tokens are alive they are short lived.


    I also want similar stuff. can you provide detail command to revoke it.

    for me it is giving unautorized

    curl –request POST –user “myClientID:password” –data “grant_type=password&username=yogesh&password=yogesh132&scope=cn”

    {“code”:401,”reason”:”Unauthorized”,”message”:”Access Denied”}

     Peter Major

    Note that OpenAM doesn’t implement RFC 7009 currently, and even so, revoking access tokens when a refresh token is presented is only a SHOULD in that spec. You can find the RFE for RFC7009 support at:


    Hi Yogesh, for revoking use DELETE method and amadmin token instead of POST and clientid/secret.

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?