If your application implements some kind of logout functionality where you remove the access token from your system, you should also tell aID, so the access token can be removed from aID as well. This will help performance by making sure the number of unused access tokens doesn’t grow out of proportions.
By default, revoking an access_token will also invalidate the aID web session that was used when creating authorizing the access_token. This is to create the effect of single signout. The user will think of aID as one concept, not in terms of different applications that he logs in to. For most applications. For those that don’t fall into this category, the cascade-parameter should be used to avoid logging out of aID.
Revoking Authorization - Deleting the Access Token from aID
Revoking an access token is done by POSTing the token to the revoke service in aID.
URL:
https://www.aid.no/oauth/revoke
This service differs from the OAuth enabled endpoints described here. Instead it follows the standard OAuth2 spec for revoking tokens. The details can be found here. Instead of providing the access token as a bearer in the Authorization header, the applications client_id and client_secret should be provided as username and password in a BasicAuthorization header. In addition, you add the token to be revoked using the form-parameter token, with the token as value.
An alternative to using the Authorization header is to set client_id and client_secret as request parameters. This is not recommended, as it can lead to secrets being leaked to logs etc. Use headers when possible.
The service will respond with an empty JSON: {}
Posted fields / values
Title
Title
Name
Description
token
The token to revoke. Should be the same as the token in Bearer.
cascade
(optional). If set to ‘false’, revoking token will not result in aID web session being logged out.
Example
Provided the access token we got from the Authorization service, we can revoke it using curl like this:
curl-Ftoken=d4bbad00 -H"Authorization: Basic YzRmZWI0YjM6MWMzYjAwZDQ="-X POST https://www.aid.no/oauth/revoke
If you try to call any of the services that previously worked with this token, after revoking it, they will fail with invalid_token.