Revoke Tokens

Many Identity Providers issue an Access Token in response to the authentication process. You can use an Access Token to make authenticated API calls to an Identity Provider to access additional resources.

However, since Refresh Tokens may not expire, revoking those tokens is required. You can do this by calling RevokeToken via the LogonLabs Gateway. This is also important in instances where a user unsubscribes, removes an application, or the API resources required by an app have significantly changed.

In order to receive a Refresh Token on authentication, Return Authorization Data must be enabled for the Identity Provider.

Supported Identity Providers

The following Identity Providers support Revoke:

Identity Provider Notes

Each Identity Provider has slightly different behavior for Revoke, regarding which Token you should pass, and what the effect is. Below is a description of the specific quirks for each Identity Provider.

Using the Access Token to Revoke invalidates the Refresh Token and the Access Token.

Using the Refresh Token to Revoke doesn’t invalidate the Refresh Token. It can still be used to get a new Access Token.

When “Return Authorization Data” is enabled, the scope “access_type=offline” is automatically added by LogonLabs in order to return the Access Token.

An invalid token passed to RevokeToken will also return a 200 OK, as the Identity Provider does not want to leak information on whether a token is valid or not.

QuickBooks documentation indicates that you should pass the Access Token on revoke, and not the Refresh Token.

No special considerations or differences.

Either the Refresh Token or the Access Token can be used in Revoke.

After Revoke, the user will be required to re-authorize your application on their next login.

SALESFORCE LOGO

Using the Access Token to Revoke does not revoke the Refresh Token.

Using the Refresh Token to Revoke does revoke access, and therefore the Refresh Token should be passed in Revoke.

In order for Okta to return a Refresh Token, you must enable “Refresh Token” under General Settings for your Okta App. Please see Step 6 on this page to complete this change.

Using the Access Token to Revoke doesn’t invalidate the Refresh Token. It can still be used to get a new Access Token.

Using the Refresh Token to Revoke invalidates the Refresh Token and the Access Token.

An invalid token passed to RevokeToken will also return a 200 OK, as the Identity Provider does not want to leak information on whether a token is valid or not.

When “Return Authorization Data” is enabled, the scope “offline_access” is automatically added by LogonLabs in order to return the Access Token.

You are required to pass the Refresh Token on revoke in order to invalidate the tokens. Passing the Access Token has no effect.

An invalid token passed to RevokeToken will also return a 200 OK, as the Identity Provider does not want to leak information on whether a token is valid or not.


← Previous Article
Access Tokens
Next Article →
Refresh Tokens