Token Revocation (RFC 7009)
Click here to see this page in full context

OAuth2 Server | Token Revocation (RFC 7009)

Overview

Token revocation allows clients to notify the TsgcHTTP_OAuth2_Server that a previously issued access token or refresh token is no longer needed. The server invalidates the token so it can no longer be used to access protected resources.

This is useful when a user logs out, when an application is uninstalled, or when a token may have been compromised.

Endpoint

POST to /sgc/oauth2/revoke with the following parameters:

Parameter Description
token The token to revoke (required).
token_type_hint Optional hint about the token type: access_token or refresh_token.

Behavior

Per RFC 7009, the server always returns HTTP 200 OK regardless of whether the token was found or successfully revoked. This prevents token existence leakage -- a client cannot determine whether a token was valid by observing the response status.

When a refresh token is revoked, the associated access token may also be invalidated (implementation-dependent). When an access token is revoked, the associated refresh token remains valid unless explicitly revoked.

Configuration

Property Description
OAuth2Options.Revocation.Enabled Set to True to enable the revocation endpoint. Default: False.
OAuth2Options.Revocation.URL The revocation endpoint URL path. Default: /sgc/oauth2/revoke

Events

Event Description
OnOAuth2AfterRevokeToken Fired after a token revocation attempt. Provides the token value, token_type_hint, and a Revoked parameter indicating whether the token was successfully invalidated. Useful for logging revocation activity.

Example

OAuth2Server := TsgcHTTP_OAuth2_Server.Create(nil);

// Enable token revocation
OAuth2Server.OAuth2Options.Revocation.Enabled := True;

// Register app
OAuth2Server.Apps.AddApp('MyApp', 'http://127.0.0.1:8080',
  'my-client-id', 'my-client-secret', 3600, True, [auth2Code]);

Server.Authentication.Enabled := True;
Server.Authentication.OAuth.OAuth2 := OAuth2Server;

// Handle revocation
procedure TForm1.OAuth2ServerOAuth2AfterRevokeToken(Sender: TObject;
  const Token, TokenTypeHint: String; var Revoked: Boolean);
begin
  Log('Token revoked: ' + Token + ' (type: ' + TokenTypeHint + ')');
  Revoked := True;
end;

Client Request Example

A client revokes a token by sending a POST request to the revocation endpoint:

// Client-side: revoke an access token
HTTPClient.Post('https://example.com/sgc/oauth2/revoke',
  'token=eyJhbGciOi...&token_type_hint=access_token');