How to revoke Gitlab authorize token?

I use Gitlab OpenID Connect. I want to implement sign-out logic in my app. But I can’t figure out how to revoke tokens for users. I tried to send post and delete requests on /oauth/revoke, but it did not work.
Basic logic I want to implement:
oidc = self.appbuilder.sm.oid
oidc.logout()
super(AuthOIDCView, self).logout()
payload = { “client_id”: config.get(‘client_id’), “client_secret”: config.get(‘client_secret’), “token”: config.get(‘token’) }
headers = { ‘content-type’: “application/json” }
requests.post(“https://gitlab.com/oauth/revoke”, data=payload, headers=headers)

I’ve figured out the question. If someone will have the same question, to revoke the token you should do next:

from requests.auth import HTTPBasicAuth
import requests
payload = {"token": <your_access_token>
            "token_type_hint": "refresh_token"
        }
auth = HTTPBasicAuth(<your client_id>, <your client_secret >)
res = requests.post(“https://gitlab.com/oauth/revoke”,
                    data=payload,
                    auth=auth,
                    )

I am having problems making this work. I get a 200 OK and an empty JSON object as a response, but the OAuth token is still present and valid at:

https://gitlab.com/-/profile/applications

I’m trying:

curl \
    -u <client id>:<client secret> \
    -X POST \
    -d '{"token":"<refresh token>", "token_type_hint":"refresh_token"}' \
    https://gitlab.com/oauth/revoke

I’ve also tried:

curl \
    -u <client id>:<client secret> \
    -X POST \
    -d '{"token":"<access token>", "token_type_hint":"Bearer"}' \
    https://gitlab.com/oauth/revoke

Both return 200 OK and an empty JSON hash.

The documentation disagrees with the posted answer:

So I also tried:

curl \
    -X POST \
    https://gitlab.com/oauth/revoke?client_id=<client id>&
        client_secret=<client secret>&token=<access token>

as well as:

curl \
    -X POST \
    -d '{"client_id":"<client id>", "client_secret":"<client secret>", "token":"<access token>"}' \
    https://gitlab.com/oauth/revoke

All report 200 OK. None of them actually revoke the token.

Any ideas?

I know that it is pretty old but I found out that this endpoint does not like JSON. It should be form encoded data like below:

POST /revoke HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

token=45ghiukldjahdnhzdauz&token_type_hint=access_token

with that it works. Gitlab destroys token and it is no longer visible in web UI of my user.

1 Like