Janssen Server supports token revocation endpoint enables a client to notify the server that previously obtained refresh or access token is no longer needed, allowing the server to clean up security credentials. Implementation conforms with token revocation specification.
Since a token is part of a grant, when the token is invalidated, all other token within the same grant are also revoked. i.e when a refresh token related to a grant is invalidated, all access tokens from the same grant are also invalidated and vice-versa.
URL to access revocation endpoint on Janssen Server is listed in the response of Janssen Server's well-known configuration endpoint given below.
revocation_endpoint claim in the response specifies the URL for revocation endpoint. By default, revocation endpoint
looks like below:
More information about request and response of the revocation endpoint can be found in the OpenAPI specification of jans-auth-server module.
Disabling The Endpoint Using Feature Flag#
Token revocation endpoint can be enabled or disable using REVOKE_TOKEN feature flag.
Use Janssen Text-based UI(TUI) or Janssen command-line interface to perform this task.
When using TUI, navigate via
enabledFeatureFlags to screen below. From here, enable or
REVOKE_TOKEN flag as required.
Token revocation endpoint can be further configured using Janssen Server configuration properties listed below. When using
Janssen Text-based UI(TUI) to configure the properties,
Revoke all tokens by
To remove all tokens for given
client_id it's required:
allowAllValueForRevokeEndpoint AS configuration property to
- pass in request parameter
client is identified by Client Authentication performed by AS to grant access to
Revoke Interception Script#
Endpoint can provide custom behavior via implementing Revoke Token interception script.