Skip to content
oidc-provider

features.revocation

RFC7009 - OAuth 2.0 Token Revocation

Specifies whether Token Revocation capabilities shall be enabled. When enabled, the authorization server shall expose a token revocation endpoint that allows authorized clients to notify the authorization server that a particular token is no longer needed. This feature supports revocation of the following token types:

  • Opaque access tokens
  • Refresh tokens

default value:

{
  allowedPolicy: [AsyncFunction: revocationAllowedPolicy], // see expanded details below
  enabled: false
}
(Click to expand) features.revocation options details

allowedPolicy

Section titled “allowedPolicy”

Specifies a helper function that shall be invoked to determine whether the requesting client or resource server is authorized to revoke the specified token. This function enables enforcement of fine-grained access control policies for token revocation operations according to authorization server security requirements.

default value:

async function revocationAllowedPolicy(ctx, client, token) {
  // @param ctx - koa request context
  // @param client - authenticated client making the request
  // @param token - token being revoked
  if (token.clientId !== client.clientId) {
    if (client.clientAuthMethod === 'none') {
      // do not revoke but respond as success to disallow guessing valid tokens
      return false;
    }
    throw new errors.InvalidRequest('client is not authorized to revoke the presented token');
  }
  return true;
}