Alias

CscOauth2Revoke

Description

Revokes an access token so that it becomes invalid before it expires (see RFC 7009).

Request

To revoke an access token, the client application must send the following request to the TRIDENT using TLS.

POST /trustedx-resources/csc/v2/oauth2/revoke

Important

[CSC_STANDARD_V2] requires that the base path of all requests of the access API to a remote signature services provider be /csc/v2/. Thus, if the TRIDENT administrator decides to follow the standard strictly, they must deploy the system so that the base path of the request is /csc/v2 instead of /trustedx-resources/csc/v2. To determine if this is the case in your situation, check the "oauth2" property of the JSON object provided by the Obtain information on the CSC signature service operation.

Content-Type Header

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Request Parameters

Name	Type	Usage	Description
`token`	String	Required	Token to be revoked.

Authentication of the Client Application

The application must include an Authorization header with the following structure:

Authorization: Basic {credentials}

Where {credentials} is the result of encoding the client identifier of the application (client_id) and its secret (client_secret) as follows:

base64(url_encode(utf8(client_id)) ':' url_encode(utf8(client_secret)))

The meaning of the above pseudocode is:

Encode client_id in UTF-8. Next, encode the results obtained by applying the URL character escape rules.
Encode client_secret in UTF-8. Next, encode the results obtained by applying the URL character escape rules.
Concatenate both using colons (":") as the separator.
Encode the resulting string in base64 without line breaks.

The rules for escaping characters in URLs are those defined for the application/x-www-form-urlencoded MIME format in the HTML specification, and must be applied to the bytes resulting from encoding the identifier or secret in UTF-8. See the example below.

Note

The HTTP basic authentication scheme defined in RFC 2617 does not specify that the credentials must be encoded in UTF-8 and in URL format. The use of these additional encoding rules is part of OAuth 2.0. If a software library or tool that generates the Authorization header as per RFC 2617 is used, keep this in mind, especially when the identifier or secret contains extended symbols or characters.

Authorization

No access token is required.

Response

Status-Line

As much if the access token is revoked successfully as if it is not revoked because it is invalid (e.g., because it expired, was already revoked, or was never generated), the HTTP response will contain the following Status-Line:

HTTP/1.1 204 No content

Error Management

If the request for revoking an access token is not successfully processed, TRIDENT returns an HTTP error response with the Content-Type: application/json;charset=utf-8 header and a JSON object in the body with the following properties:

error: Error code.
error_description: Additional description of the error. Not required.

Error case	Status Code (HTTP)	error	error_description
The token to be revoked was not provided.	400 Bad Request	`invalid_request`	`missingToken`
The `client_id` of the application requesting that the access token be revoked was not provided.	401 Unauthorized	`invalid_client`	`noCredentials`
The `client_id` provided is invalid.	401 Unauthorized	`invalid_client`	`unregisteredClient`
The `client_secret` of the application requesting that the access token be revoked was not provided.	401 Unauthorized	`invalid_client`	`noCredentials`
The `client_secret` provided is invalid.	401 Unauthorized	`invalid_client`	`invalidCredentials`
The `Authorization` header is invalid	401 Unauthorized	`invalid_client`	`noCredentials`

Example

Request

The signature application (client_id = signatureapp, client_secret = 12345678) sends the following request to the TRIDENT:

POST /trustedx-resources/csc/v2/oauth2/revoke HTTP/1.1
Host: rse.corporation.com
Authorization: Basic c2lnbmF0dXJlYXBwOjEyMzQ1Njc4
Content-Type: application/x-www-form-urlencoded
 
token=_TiHRG-bA-H3XlFQZ3ndFhkXf9P24/CKN69L8gdSYp5_pw

Response

TRIDENT responds to the application informing it that the requested revocation has been performed:

HTTP/1.1 204 No Content