4.5 Revoking access tokens

You can revoke an access token for the web.oauth2 authentication server; the server supports the OAuth2/OpenID Connect revocation endpoint.

Where the token contains a scope that allows accessing the MyID Core API, the revocation endpoint updates the MyID database to ensure that the access token can no longer be used.

If you are using refresh tokens , these are also invalidated.

Note: Revoking a token that does not include a scope that relates to the MyID database (for example, if it does not have myid.rest.basic scope because the token is used for products outside of MyID) invalidates any refresh tokens, but the access token remains valid until expiry. This is because an access token is valid until expiry, unless there is a back-end system that can be updated to indicate that access token is no longer valid.

To call the revocation endpoint, post the following information to the MyID revocation URL, formatted according to the RFC for OAuth 2.0 Token Revocation (RFC 7009):

https://<server>/web.oauth2/connect/revocation