REST API for OAuth in Oracle Access Manager

Revoke tokens for a user

post

/oam/services/rest/consent/revoke

The REST API enables Administrator to invalidate Access or Refresh Tokens issued for a user or a user+client+resource server combination via Authorization code flow (three legged OAuth flow). The API returns all the updated consents for the provided combination. Tokens can also be revoked by giving a specific timestamp.

Request

Supported Media Types

application/x-www-form-urlencoded

Header Parameters

authorization(required): string

Base64 encoded header of Administrator:Secret. This is an authentication mechanism for weblogic Administrator to access resource.
x-oauth-identity-domain-name(required): string

OAuth Identity Domain name under which token revoke is being requested.

Form Parameters

clientIdentifier: string

OAuth Client ID/Identifier. If provided, you must specify the resServerId to uniquely identify the client.
resServerId: string

OAuth Application ID/Identifier. Required to uniquiely identify client entity, resServerId is mandatory if clientIdentifier is provided.
revoke_type: string

entity to be revoked. Possible values are - ACCESS_TOKENS, REFRESH_TOKENS, TOKENS

Default Value: TOKENS
timestamp: string

all tokens issued before this timestamp will be invalidated. timestamp needs to be in the following format yyyy-MM-dd'T'HH:mm:ssZ format. 'Z' is Time offsets from UTC.
For example
Feb 20 09:45:51 UTC 2021 --> 2021-02-20T09:45:51Z
Mar 04 00:39:12 PST 2021 --> 2021-03-04T00:39:12-0800
userId(required): string

User name/identifier. Name of the user whos grant/consent was used to create tokens.

Response

Supported Media Types

application/json

200 Response

Sucessfully updated user consent with revoke details

Root Schema : consentAfterRevoke

Type: array

Array of user consent

Show Source

Array of: object consentAfterRevoke

{
    "description":"Array of user consent",
    "type":"array",
    "xml":{
        "name":"consentAfterRevoke",
        "wrapped":true
    },
    "items":{
        "$ref":"#/definitions/consentAfterRevoke"
    }
}

Nested Schema : consentAfterRevoke

Type: object

Show Source

clientId(required): string

OAuth Client Identifier

Example: clientA
consentId(required): string

OAuth Consent Unique Identifier

Example: 30650989-8e53-3010-b06a-98b0ef42b65d
createTimeStamp(required): string

Creation timestamp for OAuth Consent

Example: Tue Mar 09 21:12:06 PST 2021
resourceId(required): string

OAuth Application Identifier

Example: 66ac1a16-ee37-4525-81f6-9062d69a743c
revokeTimestamp(required): string

String of key value pairs where value describes the revoke timestamp applicable to the key, key can have following possible values TOKENS, ACCESS_TOKENS, REFRESH_TOKENS depending on the revoke_type. All the token types generated before the specified timestamp will be revoked.

Example: TOKENS=2021-03-08T23:30:33-0800, ACCESS_TOKENS=2021-03-08T20:30:33-0800, REFRESH_TOKENS=2021-03-08T21:30:33-0800
scopes(required): array scope
valid(required): boolean

Flag to identify OAuth Consent validity. True - Consent is valid, False - Consent is In-valid

Example: true

{
    "type":"object",
    "required":[
        "clientId",
        "consentId",
        "createTimeStamp",
        "resourceId",
        "scopes",
        "valid",
        "revokeTimestamp"
    ],
    "properties":{
        "clientId":{
            "type":"string",
            "description":"OAuth Client Identifier",
            "example":"clientA"
        },
        "consentId":{
            "type":"string",
            "description":"OAuth Consent Unique Identifier",
            "example":"30650989-8e53-3010-b06a-98b0ef42b65d"
        },
        "createTimeStamp":{
            "type":"string",
            "description":"Creation timestamp for OAuth Consent",
            "example":"Tue Mar 09 21:12:06 PST 2021"
        },
        "resourceId":{
            "type":"string",
            "description":"OAuth Application Identifier",
            "example":"66ac1a16-ee37-4525-81f6-9062d69a743c"
        },
        "scopes":{
            "type":"array",
            "xml":{
                "name":"scope",
                "wrapped":true
            },
            "items":{
                "$ref":"#/definitions/scope"
            },
            "example":[
                "DemoResServer.DefaultScope"
            ]
        },
        "valid":{
            "type":"boolean",
            "description":"Flag to identify OAuth Consent validity.\n True - Consent is valid,\n False - Consent is In-valid",
            "example":true
        },
        "revokeTimestamp":{
            "type":"string",
            "description":"String of key value pairs where value describes the revoke timestamp applicable to the key, key can have following possible values TOKENS, ACCESS_TOKENS, REFRESH_TOKENS depending on the revoke_type. All the token types generated before the specified timestamp will be revoked.",
            "example":"TOKENS=2021-03-08T23:30:33-0800, ACCESS_TOKENS=2021-03-08T20:30:33-0800, REFRESH_TOKENS=2021-03-08T21:30:33-0800"
        }
    }
}

Nested Schema : scope

Type: array

Show Source

Array of: string

OAuth Scope string.

{
    "type":"array",
    "xml":{
        "name":"scope",
        "wrapped":true
    },
    "items":{
        "$ref":"#/definitions/scope"
    },
    "example":[
        "DemoResServer.DefaultScope"
    ]
}

Example:

[
    "DemoResServer.DefaultScope"
]

400 Response

Failed to retrieve user consent - detail

Root Schema : schema

Type: object

Show Source

error: string

Error code
error_description: string

Error description

{
    "type":"object",
    "properties":{
        "error":{
            "type":"string",
            "description":"Error code"
        },
        "error_description":{
            "type":"string",
            "description":"Error description"
        }
    },
    "example":{
        "error":"400",
        "error_description":"Required parameter 'X-OAUTH-IDENTITY-DOMAIN-NAME' is not present."
    }
}

Example:

{
    "error":"400",
    "error_description":"Required parameter 'X-OAUTH-IDENTITY-DOMAIN-NAME' is not present."
}

Examples

cURL Sample Request

This example demonstrates a sample request to revoke all Refresh Tokens for a user based on Timestamp

curl --location --request POST '<AdminServerHost>:<AdminServerPort>/oam/services/rest/consent/revoke' \
--header 'Authorization: Basic d2VibG9naWM6d2VsY29tZTE=' \
--header 'x-oauth-identity-domain-name: DemoDomain' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: JSESSIONID=NysahaoNLyc13HzjEh93gJmwbY4HnMetJQY33RE8_ZdBpzpw7kdr!-472705583' \
--data-urlencode 'userId=UserA' \
--data-urlencode 'revoke_type=REFRESH_TOKENS' \
--data-urlencode 'timestamp=2021-03-09T15:30:33+0800'

cURL Sample Response

{
    "consents": [
        {
            "clientId": "DemoClientId",
            "consentId": "30650989-8e53-3010-b06a-98b0ef42b65d",
            "createTimeStamp": "Fri Mar 12 03:55:31 PST 2021",
            "resourceId": "66ac1a16-ee37-4525-81f6-9062d69a743c",
            "scopes": [
                "DemoResServer.DefaultScope"
            ],
            "tokenRevokeTimestamp": "REFRESH_TOKENS=2021-03-08T03:56:49-0800",
            "valid": true
        }
    ]
}