TsgcHTTP_OAuth2_Server.OnOAuth2AfterRevokeToken
Click here to see this page in full context

TsgcHTTP_OAuth2_ServerEvents › OnOAuth2AfterRevokeToken

OnOAuth2AfterRevokeToken Event

Fires after the /revoke endpoint processes a token revocation request (RFC 7009).

Syntax

property OnOAuth2AfterRevokeToken: TsgcHTTPOAuth2AfterRevokeTokenEvent;
// TsgcHTTPOAuth2AfterRevokeTokenEvent = procedure(Sender: TObject; Connection: TsgcWSConnection; const Token, TokenTypeHint: String; var Revoked: Boolean) of object

Default Value

Remarks

OnOAuth2AfterRevokeToken is raised after the revocation endpoint (RFC 7009) has processed a client request to invalidate a previously issued token. Token contains the token value that was submitted; TokenTypeHint is the hint provided by the client (access_token or refresh_token) and can be empty. Revoked reflects whether the server was able to locate and invalidate the token; you can set it to False to signal that the revocation was not effective (for example when the token belongs to another authorization server in a federated setup) or keep it True. The event is ideal for audit logging and for propagating revocation to external token caches or resource servers.

Example


procedure OnOAuth2AfterRevokeToken(Sender: TObject; Connection: TsgcWSConnection;
  const Token, TokenTypeHint: string; var Revoked: Boolean);
begin
  DoLog(Format('Token revoked (hint=%s, result=%s): %s',
    [TokenTypeHint, BoolToStr(Revoked, True), Token]));
  // propagate revocation to a shared cache
  if Revoked then
    SharedCache.RemoveToken(Token);
end;

Back to Events