See openid-connect Menu

Revoke a Session


Use this API to end the session for a user and invalidate the access_token.

Resource URL

https://<subdomain>.onelogin.com/oidc/token/revocation

Header Parameter

Authorization

required

string

Set to Basic <base64 encoded "clientId:clientSecret">.

The client_id and client_secret are generated when you configure your OpenId Connect app in OneLogin.

e.g. Using Node.js this would be

new Buffer(`${this.client_id}:${this.client_secret}`).toString('base64');

Content-Type

required

string

application/x-www-form-urlencoded

Resource Parameter

subdomain

required

integer

Set to the subdomain of your OneLogin instance.

e.g. oidc-sample where the instance is https://oidc-sample.onelogin.com

Request Parameter

token

required

string

The access_token that will be revoked

token_type_hint

string

Set to “access_token”

Sample Request Body

token=MmVkMTIyNGUtODI5MC00YzQ4LThkZmQtYzUzYmMzODBkYjY3UV4nmxKh4z....&token_type_hint=access_token

Sample Response

{}

The token may already have been revoked

{
    "error": "unsupported_token_type",
    "error_description": "revocation of the presented token type is not supported"
}

The authorization header is invalid

{
    "error": "invalid_request",
    "error_description": "invalid authorization header value format"
}
{
    "error": "invalid_request",
    "error_description": "Authentication Failed"
}
{
    "error": "invalid_request",
    "error_description": "Access is unauthorized"
}

Sample Code

cURL

Replace sample values indicated by < > with your actual values.

curl -XPOST "https://<subdomain>.onelogin.com/oidc/token/revocation" \
-H "Authorization: Basic <base64 encoded client_id:client_secret>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "token=<access_token>&token_type_hint=access_token"


Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.