Revoking OAuth2 Tokens

Anonymous User · ‎09-12-2018

As per the docs (ArcGIS REST API , Authorize—ArcGIS REST API: Users, groups, and content | ArcGIS for Developers ) there is no apparent REST Endpoint for revoking issued OAuth2 Tokens.

In searching I stumbled across the https://www.arcgis.com/sharing/rest/oauth2/signout endpoint which can be used to sign-out of AGOL and other platforms which make use of the esri_auth cookie, however it only ever provides HTML responses, suggesting its strictly a browser flow endpoint and not for use with server side calls.

Is there a means of revoking OAuth tokens with a purpose built REST Endpoint? Ideally, with functionality to provide either the access token directly, or the refresh token, which would invalid all associated tokens, and a response that isn't HTML.

Nicholas-Furness · ‎06-17-2019

Hi Paul.

I stumbled upon your question while trying to figure this out myself, so figured I'd share what I learnt.

You can use the revokeToken endpoint (https POST only) to revoke OAuth access tokens or refresh tokens. Pass in auth_token and client_id. Optionally also pass in token_type_hint as "access_token" or "refresh_token" (otherwise we'll first check if it's an access token and if it's not, check if it's a refresh token). Note that:

Only one-step OAuth tokens generated with user logins (i.e. not clientid/secret) can be revoked.
Revoking a refresh token revokes all access tokens generated from it.
Revoking a token that's invalid/revoked/expired/isn't the right type will return "success".

This was introduced with the latest release of ArcGIS Online (so after your most recent comment, I believe) and documentation should be coming with the next release.

Hope this helps.

Nick.

View solution in original post

Anonymous User · ‎03-26-2019

Its been 7 months now, and no change to the documentation, or feedback in this regard.

For those who are developing security conscious Applications authenticating users via OAuth, and are looking for a way to properly end a session, I'm sad to report that I still have yet to find, or be provided, any guidance on how to invalidate an Access Token from a within a Server flow.

It seems the only way to invalidate an Access or Refresh Token is for the User to change their password - which thankfully will invalidate all existing tokens issued previously - Access and Refresh alike - so at the very least that's available as a fallback in the event of an breach resulting in the capture of the Refresh Token.

Note - Refreshing an access token through the /token endpoint does not invalidate the original Access Token, so doing so only creates more valid Access Tokens in addition to the one that was already granted.

Is there any plans to create a better OAuth integration experience? One can only hope.

Nicholas-Furness · ‎06-17-2019

Hi Paul.

I stumbled upon your question while trying to figure this out myself, so figured I'd share what I learnt.

You can use the revokeToken endpoint (https POST only) to revoke OAuth access tokens or refresh tokens. Pass in auth_token and client_id. Optionally also pass in token_type_hint as "access_token" or "refresh_token" (otherwise we'll first check if it's an access token and if it's not, check if it's a refresh token). Note that:

Only one-step OAuth tokens generated with user logins (i.e. not clientid/secret) can be revoked.
Revoking a refresh token revokes all access tokens generated from it.
Revoking a token that's invalid/revoked/expired/isn't the right type will return "success".

This was introduced with the latest release of ArcGIS Online (so after your most recent comment, I believe) and documentation should be coming with the next release.

Hope this helps.

Nick.

Nicholas-Furness · ‎07-02-2019

FYI, the documentation for revokeToken went live with today's release of the developer's site: Revoke Token—ArcGIS REST API

Anonymous User · ‎11-06-2019

Hey Nicholas,

This is spot on, thank you!