Docs Italia beta

Public documents, made digital.

SPID/CIE OIDC - Regole Tecniche version: latest documentation
Project: Progetto demo
Administration: Organizzazione demo
About this document
Source
Actions

Revocation Endpoint

An RP MAY request the revocation of an Access Token or a Refresh Token issued by an OP.

The OP MUST revoke the token specified in the request.

spid-icon

When the user logs out or when his/her session with the RP expires (according to the policies decided by the RP) the RP MUST revoke the Access Token in its possession, if it is not expired yet.

Note

The Access Token revocation implies revoking all the Refresh Tokens linked to it, if not expired yet.

The OP MUST revoke the token specified in the request and MUST end the Single Sign-On session, if it is still active. Any other active tokens for the user must be kept valid.

cieid-icon

The Access Token revocation MUST NOT imply revoking all the Refresh Tokens linked to it.

If the token passed to the request is a Refresh Token, the OP MUST revoke the respective Access Token as well, if it is not expired yet.

Note

The authentication method MUST be private_key_jwt (see the revocation_endpoint_auth_methods_supported parameter in Section Metadata OP)

See also

Request

The request to the Revocation Endpoint consists of sending the token to be revoked, together with a Client Assertion that allows the identification of the RP that sends the request.

Example:

POST /revoke HTTP/1.1
Host: https://op.spid.agid.gov.it
Content-Type: application/x-www-form-urlencoded

client_assertion=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiw
ibmFtZSI6IlNQSUQiLCJhZG1pbiI6dHJ1ZX0.LVyRDPVJm0S9q7oiXcYVIIqGWY0wWQlqxvFGYswLF88&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwtbearer&
client_id=https%3A%2F%2Frp.spid.agid.gov.it&
token=eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE0MTg3MDI0MTQsImF1ZCI6WyJlNzFmYjcyYS05NzRmLT
QwMDEtYmNiNy1lNjdjMmJjMDAzN2YiXSwiaXNzIjoiaHR0cHM6XC9cL2FzLXZhLmV4YW1wbGUuY29tXC8
iLCJqdGkiOiIyMWIxNTk2ZC04NWQzLTQzN2MtYWQ4My1iM2YyY2UyNDcyNDQiLCJpYXQiOjE0MTg2OTg4
MTR9.FXDtEzDLbTHzFNroW7w27RLk5m0wprFfFH7h4bdFw5fR3pwiqejKmdfAbJvN3_yfAokBv06we5RA
RJUbdjmFFfRRW23cMbpGQCIk7Nq4L012X_1J4IewOQXXMLTyWQQ_BcBMjcW3MtPrY1AoOcfBOJPx1k2jw
RkYtyVTLWlff6S5gKciYf3b0bAdjoQEHd_IvssIPH3xuBJkmtkrTlfWR0Q0pdpeyVePkMSI28XZvDaGnxA4j7QI5loZYeyzGR9
h70xQLVzqwwl1P0-F_0JaDFMJFO1yl4IexfpoZZsB3HhF2vFdL6D_lLeHRyH2g2OzF59eMIsM_Ccs4G47862w

Claim

Description

Supported by

client_assertion

JWT signed with the Relying Party's private key, containing the same parameters included in the Token Endpoint request. The OP must check the validity of all the fields in the JWT, and the validity of its signature, according to the parameter client_id.

spid-icon cieid-icon

client_assertion_type

String. urn:ietf:params:oauth:clientassertion-type:jwt-bearer

spid-icon cieid-icon

client_id

URL HTTPS that uniquely identifies the RP.

spid-icon cieid-icon

token

The token which the RP is asking to revoke.

spid-icon cieid-icon

Response

The Revocation Endpoint answers with a code HTTP 200, also though the indicated token does not exist or has already been revoked (so that non information is going to be released).

Error codes

As defined for Token endpoint.