Revoke Access token programatically

SergioETrillo · June 21, 2018, 2:12pm

I want to revoke one (all) refresh tokens of a user accessing a specific application.

In the Dashboard, it is simple, in Users, Authorized Applications, then click the button “Revoke” on the selected application.

But how do I do the same using the auth0 API? In the docs I can only find to use /oauth/revoke, but for that I need to know the refresh token I want to revoke Where can I find that programatically? (I know my user and application).

kimcodes · June 27, 2018, 2:14pm

@SergioETrillo there’s an endpoint that will delete all grants and refresh tokens for a given user ID:
curl -X DELETE 'https://{{your-auth0-domain}}/api/v2/grants?user_id={{your-user-id}} please note that this will also revoke all grants for the user which may not be exactly what you would want. Please let me know if this works for you.

SergioETrillo · June 28, 2018, 11:01am

Thanks for the answer @kimcodes.
I am not too sure what implies the revocation of all grants for the user but it seems it may work. I had figured out a solution as follows:

Get accessToken for v2
Get userId from email https://{{auth0-domain}}/api/v2/users?q=emailxxxxxxx&search_engine=v3
List device credentials refresh tokens for user: https://{{auth0-domain}}/api/v2/device-credentials?user_id=auth0|xxxxxxxxxxxxxxxx&type=refresh_token
Iterate the list and delete them with https://{{auht0-domain}}/api/v2/device-credentials/dcr_xxxxxxxxxx

But yours seems simpler.

AKT · February 8, 2019, 11:30am

Another way is to remove the grant for given application. You can use /api/v2/grants to get the grants for a given user. Find out the client id for which you are trying to remove authorisation, you will get the grant id from get_grants list. Now invoke /api/v2/grants/{id?} with DELETE method to remove the application authorisation. This will revoke all the refresh token for the user for the application.

aminul · May 8, 2019, 8:10am

hi, @kimcodes I’m trying to invalidate access token on logoff , using this api endpoint https://{{your-auth0-domain}}/api/v2/grants?user_id={{your-user-id}} , but it seems even after the I make this api call the user specific access token remains valid and I can send user info requests with access token obtained for that user earlier https://{{your-auth0-domain}}/userinfo , is it possible to invalidate user access token when user logout ?

kimcodes · June 10, 2019, 7:43pm

@aminul were you able to successfully log out the user? did you solve your issue?

aminul · June 11, 2019, 5:17am

Hi, @kimcodes As this auth0 document suggest I’ve logged user out of my java application session layer ,but log out them from auth0 session layer will require us to configure too many Allowed Logout URLs ( we too many routes and sub-domains ), I was looking for a solution to log out them from auth0 session layer with java codes only that doesn’t require the Allowed Logout URLs settings , is it possible ?

konrad.sopala · June 11, 2019, 10:18am

Hey there @aminul!

Unfortunately Kim is no longer working at Auth0 but I’ll do my best to help you! Let me get more context and investigate it so I can get back to you shortly!

Topic		Replies	Views
DELETE /api/v2/device-credentials/{id} for revoking refresh token same behaviour than /oauth/revoke? Help api	1	4155	June 11, 2020
Unable to revoke refresh tokens Help auth0 , refresh-tokens	2	2051	December 21, 2022
Refresh token revocation Knowledge Articles refresh-token , delete , grant , offline_access	1	1967	February 17, 2023
How revoke all access tokens Help configuration , application	2	244	May 7, 2024
Revoking Access Tokens Help auth0 , api	4	3625	April 17, 2020

Revoke Access token programatically

Related Topics