What is the url or request for revoking access token in live.com OAuth?
The similar request on Google Oauth is:
POST https://accounts.google.com/o/oauth2/revoke?token=%access_or_refresh_token%
From this link: http://msdn.microsoft.com/en-us/library/ff752110.aspx, it appears that revoking consent is a manual process and even then, it does not immediately revoke a token.
Related
https://appleid.apple.com/auth/revoke This api for revoking auth from the apple account and getting 200 OK response but still not able unlink apps from apple so do we need to call token api for an access token? If yes here is the screenshot.
API for token generating AuthToken API getting invalid_request so how can we unlink apps from the apple setting account?
As per my understanding.
For https://appleid.apple.com/auth/token
Is client_id the bundle ID right?
Is client_secret the identityToken provided by Apple during the Sign In process?..
Is grant_typeauthorization_code or refresh_token
Below Both Not Understood How to Get and also with auth/token it return token which we able to pass in auth/revoke API ?
code
refresh_token
I'd really appreciate it if someone can explain what should I do with the info provided during Sign in with Apple flow (UserId, IdentityToken, and AuthorizationCode) in order to properly implement the Revoke Tokens API.
In bitbucket, i have created oauth consumer & implemented authentication flow (Authorization Code Grant) https://developer.atlassian.com/cloud/bitbucket/rest/intro/#1--authorization-code-grant--4-1-
Need help with revoke authorization api
After some point of time, if user wants to revoke this authorization it can be achieved in bitbucket website (attached img reference)
revoke authorizarion from website
I couldn't find the rest api reference to revoke app authorization from my website itself. Kindly assist me on how to revoke the authorization
I'm looking for an API in microsft graph to revoke a user's token. Apparently, there is not also any method in O365 python library.
Normally, we can revoke the credentials of our applications via microsoft account consent page manually, but I couldn't find an API for that in microsoft graph.
For example, the following is the google revoke uri:
https://oauth2.googleapis.com/revoke
You can use the below graph call to revoke the Refresh token: To revoke the refresh token of the signed-in user:
POST - https://graph.microsoft.com/v1.0/me/revokeSignInSessions
To revoke the refresh token of another user:
POST https://graph.microsoft.com/v1.0/users/object_id_or_upn_of_user/revokeSignInSessions
ref doc - https://learn.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=http
Note : You cannot revoke access tokens. Access tokens are short-lived and by default valid for 1 hour. However, when the refresh tokens are revoked, the application will not be able to redeem the refresh tokens (long-lived tokens) to acquire new access tokens.
Refer to: https://learn.microsoft.com/en-us/azure/active-directory/develop/configure-token-lifetimes.
We have implemented the below process for revoking OAuth access tokens / refresh tokens to de-link an external app from our application.
On logout / user initiated de-linking action, we delete the access token and refresh token that was obtained from the initial authorization flow
User has to go through the authorization flow again once again to obtain the access token and refresh token
We are not calling any token revoke function / API call to the authorization server
My question is:
Does the authorization server automatically revoke the first set of access token + refresh token if a new authorization flow has been initiated by our app?
Are there any potential pitfalls to avoid in this approach?
The reason we took this approach is because most 3rd party apps do not offer revoke access related APIs and require the user to go to the 3rd party app to remove access / de-link the authorized apps.
Does the authorization server automatically revoke the first set of access token + refresh token if a new authorization flow has been initiated by our app?
No, most won't. Consider a scenario where a user is logged into your application from multiple devices. Each would get a valid access/refresh token.
So, you can't rely on this.
I am using Oauth to access Google Cloud Storage via their JSON API.
All is fine, I authenticate and get an access token which has an expiration of 3600.
What is the correct way to refresh this?
It is my understanding that in other types of oAuth flows (i.e. Web Server), the initial authorization request returns a refresh token as well as an access token, and that the refresh token is used to ask for another access token when the current access token has expired.
But is appears that there is no refresh token when doing server-to-server oAuth with a Google "Service Account"?
Found the answer.
https://developers.google.com/accounts/docs/OAuth2ServiceAccount#expiration
Access tokens issued by the Google OAuth 2.0 Authorization Server
expire one hour after they are issued. When an access token expires,
then the application should generate another JWT, sign it, and request
another access token.