Issue
We want to provide a public REST API method to revoke the OAuth2 tokens following the RFC 7009 specification https://datatracker.ietf.org/doc/html/rfc7009#section-2.1
Does Liferay provide this functionality?
Environment
- Liferay DXP 7.3
- Liferay DXP 7.4
Resolution
Unfortunately, Liferay doesn't provide a REST API method to revoke the OAuth2 tokens.
The RFC 7009 is an extension to OAuth2 core specs, so it's not mandatory to implement it:
- The OAuth 2.0 core specification [RFC6749] defines several ways for a client to obtain refresh and access tokens.
- The RFC 7009 supplements the core specification with a mechanism to revoke both types of tokens.
The internal OAUTH2-27 issue is opened to track this feature request, but there is no plan to implement this in a short term.
The only way to revoke tokens is to use the user interface as it is explained in the official documentation:
As a workaround you could implement a revoke API with a custom development using the Liferay API to revoke the tokens:
- Here there is the public API that allows you to revoke an authorization: https://github.com/liferay/liferay-portal/blob/29b73b9b896c7d44fb5d1800a402698c303d1cf6/modules/apps/oauth2-provider/oauth2-provider-api/src/main/java/com/liferay/oauth2/provider/service/OAuth2AuthorizationService.java#L79
- Here there are some internal APIs that allows you to get the authorization record using the token: https://github.com/liferay/liferay-portal/blob/29b73b9b896c7d44fb5d1800a402698c303d1cf6/modules/apps/oauth2-provider/oauth2-provider-api/src/main/java/com/liferay/oauth2/provider/service/OAuth2AuthorizationLocalService.java#L263-L269
Additional Information