Reputation: 60848
Server side removal of Oauth token
If a user wants to remove him/herself from our service, we delete all of their data from our database, including Oauth tokens. The Oauth tokens we have are secure and persistent. As part of best practice we would like to totally invalidate the tokens as if they want to their Google accounts page and removed it there. Reading the Oauth documentation it was not clear to me if this is possible because all of the examples pertained to single-session or non-secure cases (and excuse my lack of "What did you try?"-ism but I'm trying to get a quick plan together on how to do this).
So
1) is this possible? Preferably on 1.0?
2) how to do this?
Upvotes: 1
Views: 5345
Answers (2)
Reputation: 541
The is now a new way for autho2 as described in Google's docs
requests.post('https://oauth2.googleapis.com/revoke',
params={'token': credentials.token},
headers = {'content-type': 'application/x-www-form-urlencoded'})
please see the docs for complete information.
Upvotes: 0
Reputation: 3018
Yes, you can revoke tokens programmatically as if the user revoked access in their accounts settings page.
For AuthSub and OAuth 1.0, use the AuthSubRevoke token endpoint by making an OAuth-signed request to:
https://www.google.com/accounts/AuthSubRevokeToken
For OAuth 2.0, use the revocation endpoint like:
https://accounts.google.com/o/oauth2/revoke?token={refresh_token}
Upvotes: 6
Related Questions
- How to revoke the access and refresh token in Oauth2.0?
- How to revoke auth token in spring security?
- How to revoke a bearer token (w/o refresh)?
- Revoke access token - Web API ( OAuth2 )
- how to delete Oauth access token in Netsuite?
- How to revoke Oauth token by using Google's Javascript APIs?
- How to revoke Asana OAuth tokens?
- Oauth Revoke access token only
- Revoke access token of OAuthBearerAuthentication
- Oauth revoked token