OAuth 2.0 helps secure modern applications, but token misuse remains a key security risk. That’s where token revocation comes in. This guide walks you through how OAuth 2.0 token revocation works, when to use it, and how to implement it using real examples — including Java code and ForgeRock configuration insights.
Why Token Revocation Matters
Access tokens and refresh tokens give clients access to protected resources — but what if:
- A device is lost or stolen?
- A user logs out and the session must be invalidated?
- A token is leaked or compromised?
Token revocation enables you to proactively invalidate these tokens and block future access.
Token Revocation in OAuth 2.0
RFC 7009 defines the OAuth 2.0 Token Revocation specification. It allows clients to inform the authorization server that a token is no longer needed.
POST /oauth2/revoke HTTP/1.1
Host: auth.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic base64(client_id:client_secret)
token=access_or_refresh_token_value
🔐 Clients must authenticate when calling the revocation endpoint.
Example: Revoke a Token via cURL
curl -X POST https://auth.example.com/oauth2/revoke \
-u "your-client-id:your-client-secret" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "token=eyJhbGciOi..." # token to revoke
✅ You can revoke either access tokens or refresh tokens.
Java Example: Revoking a Token Using Spring’s RestTemplate
// Java method to revoke a token using OAuth 2.0 revocation endpoint
public void revokeToken(String tokenToRevoke) {
RestTemplate restTemplate = new RestTemplate();
HttpHeaders headers = new HttpHeaders();
headers.setBasicAuth("your-client-id", "your-client-secret");
headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
MultiValueMap<String, String> body = new LinkedMultiValueMap<>();
body.add("token", tokenToRevoke);
HttpEntity<MultiValueMap<String, String>> request = new HttpEntity<>(body, headers);
restTemplate.postForEntity("https://auth.example.com/oauth2/revoke", request, Void.class);
}
Token Revocation vs Expiry
| Token Expiry | Token Revocation |
|---|---|
| Automatically handled | Requires explicit call |
| Time-based | User or app-triggered |
| Can’t be reversed | Immediate and enforced |
🧠 Revocation gives immediate control — unlike waiting for tokens to expire.
ForgeRock-Specific Implementation
If you’re using ForgeRock Identity Cloud or AM, token revocation can be enabled as follows:
- Enable Token Revocation Endpoint in your OAuth2 provider config
- Optionally configure audit logging to track revocation events
- Support JWT introspection to validate if a token is still active
You can revoke tokens via:
- REST endpoint
- Admin UI
- Identity Gateway (IG) scripting
Real-World Example
Suppose a user logs in from a public terminal and forgets to log out. You can use revocation to immediately invalidate their tokens via the backend — ensuring the session is fully terminated.
[User Logout] → [Backend detects refresh_token] → [Revoke Token API Call] ✅
Security Best Practices
- 🔒 Always support token revocation for refresh tokens
- 🧠 Consider implementing token introspection to validate token state at runtime
- ⚙️ Automate token revocation on logout or suspicious behavior
👉 Related:
How to Refresh Access Tokens in OAuth 2.0 (Java Example Included)
Understanding the Authorization Code Flow in OAuth 2.0
How to Implement the OAuth 2.0 Authorization Code Flow in Java
Conclusion: Build Secure Logout and Revocation into Your OAuth Flow
OAuth token revocation is essential for building secure and responsive applications. Whether it’s for logout, device theft, or compromised sessions, revoking tokens ensures users remain in control of their access.
🔍 Do you support full session invalidation on logout? 🔐 Are your clients able to revoke tokens when users request it?
In the next guide, we’ll cover token introspection — so you can verify whether a token is valid and active in real time.