Revoke tokens

I’m asking because I am getting an error response whenever I try:

payload: { error: 'invalid_request', error_description: 'unknown request' }

I believe the simple-oauth2 JS library I use sends the request to ‘/oauth/revoke’.

Hi,

Revoking a token is done in WP OAuth Server by using the endpoint /oauth/destroy and appending the access token to the URL as the parameter ?access_token=.

This method will destroy the access token and if there is a session in the browser being used, destroy the user session as well.

Hope this helps.

Thanks for the reply Justin.

I thought I read OAuth2 specifies the endpoint for revocation as ‘revoke’. Is there a reason why you chose ‘destroy’ instead?

Great question. The endpoint was chosen because the endpoint preforms operations out of scope that the OAuth 2.0 draft specifies. Given that WordPress and OAuth 2.0 do not match up all the time, there are some things that are off.

With this said, since we did add destroy to the endpoints and moved on, I think we simply overlooked the need for revoke.

I will look into added this into the next release so that it is more in line with the actual drafts. We will have to add backward compatibility as well. The endpoint and parameters the drafts specifies is off a bit from what our terms are. It should not be a huge deal to get something in place though.

I am very thankful your detailed answer, that explains everything. I had (unsuccessfully) been experimenting with token revocation using the revoke endpoint and was wondering if there was something wrong with my code.

I will see if I can use the ‘destroy’ endpoint for now and then will give revoke a go once it is available. Thank you for your support.

You’re welcome.

It is beneficial to the project to adhere as closely to the draft as possible. The closer we are, the better compatibility there is with 3rd party services.