Token Endpoints¶
Django OAuth 2.0 authorization server has a method to register other token
endpoints: authorization_server.register_endpoint
. Available endpoints
for now:
Revocation Endpoint from RFC7009
Introspection Endpoint from RFC7662
Revocation Endpoint¶
The revocation endpoint for OAuth authorization servers allows clients to notify the authorization server that a previously obtained refresh or access token is no longer needed.
This allows the authorization server to clean up security credentials. A revocation request will invalidate the actual token and, if applicable, other tokens based on the same authorization grant.
For example, a client may request the revocation of a refresh token with the following request:
POST /oauth/revoke HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
token=45ghiukldjahdnhzdauz&token_type_hint=refresh_token
In Authlib Django OAuth 2.0 provider, we can simply add this feature:
from authlib.integrations.django_oauth2 import RevocationEndpoint
from django.views.decorators.http import require_http_methods
# see Authorization Server chapter
server.register_endpoint(RevocationEndpoint)
@require_http_methods(["POST"])
def revoke_token(request):
return server.create_endpoint_response(RevocationEndpoint.ENDPOINT_NAME, request)
That’s all we need. Add this revoke_token
to your routes to enable it. The suggested
url path is /oauth/revoke
.
Introspection Endpoint¶
Check Register Introspection Endpoint to get more details.