revocation_ endpoint
Registry Context
Optional OAuth authorization server metadata containing the URL of the server's OAuth 2.0 token revocation endpoint. Revocation endpoint URLs must use HTTPS and follow the endpoint URI rules incorporated from RFC 6749 Section 3.1.
Technical Summary
`revocation_endpoint` is an OPTIONAL OAuth Authorization Server Metadata parameter whose value is the authorization server's OAuth 2.0 revocation endpoint URL. RFC 7009 requires this URL to conform to RFC 6749 Section 3.1 and to use HTTPS.
When Used
When an authorization server publishes metadata and chooses to advertise its OAuth 2.0 token revocation endpoint.
Normative Requirements
Clients
RFC 7009 - Section 2
Verify that the token revocation endpoint URL is an HTTPS URL..
Condition: When obtaining or using the token revocation endpoint URL.
"Clients MUST verify that the URL is an HTTPS URL."
Authorization servers
RFC 7009 - Section 2
Publish the corresponding HTTP URI as a token revocation endpoint..
Condition: If the revocation endpoint host is reachable over HTTP and the server offers a revocation service at the corresponding HTTP URI.
"it MUST NOT publish this URI as a token revocation endpoint."
RFC 7009 - Section 2
Use Transport Layer Security in a version compliant with RFC 6749 Section 1.6 for the token revocation endpoint..
"The authorization server MUST use Transport Layer Security (TLS) ... in a version compliant with [RFC6749], Section 1.6."
Authorization server metadata publishers
RFC 8414 - Section 2
Include the revocation_endpoint metadata entry containing the URL of the authorization server's OAuth 2.0 revocation endpoint..
Condition: When publishing OAuth Authorization Server Metadata.
"revocation_endpoint OPTIONAL. URL of the authorization server's OAuth 2.0 revocation endpoint"
Requests
RFC 6749 - Section 3.1
Retain the endpoint URI's existing query component when adding additional query parameters..
Condition: When the token revocation endpoint URI contains a query component.
"which MUST be retained when adding additional query parameters."
Token revocation endpoint URI
RFC 6749 - Section 3.1
Include a fragment component..
"The endpoint URI MUST NOT include a fragment component."
RFC 6749 - Section 3.1
Include an application/x-www-form-urlencoded query component..
"The endpoint URI MAY include an application/x-www-form-urlencoded formatted ... query component"
Token revocation endpoint URL
RFC 7009 - Section 2
Conform to the endpoint URI rules in RFC 6749 Section 3.1..
"This URL MUST conform to the rules given in [RFC6749], Section 3.1."
RFC 7009 - Section 2
Use the HTTPS scheme..
"URLs for token revocation endpoints MUST be HTTPS URLs."
Validation Guidance
Allow the metadata field to be absent. If present, require a valid HTTPS URL.
Reject a revocation endpoint URI containing a fragment component.
Permit an application/x-www-form-urlencoded query component and preserve it when constructing requests with additional query parameters.
Ensure the published value is not an HTTP URI, including when a corresponding HTTP revocation service exists.
Verify operationally that the revocation endpoint uses a TLS version compliant with RFC 6749 Section 1.6.
Security Notes
RFC 7009 - Section 2
The revocation endpoint location needs to be obtained from a trustworthy source because the endpoint handles security credentials.
RFC 7009 - Section 2
Revocation requests transmit plaintext credentials in the HTTP request, which is why revocation endpoint URLs are required to use HTTPS.
Reference
Details
- Entry Id
revocation_endpoint - Metadata Name
revocation_endpoint - Metadata Description
URL of the authorization server's OAuth 2.0 revocation endpoint- Change Controller
IESG- Reference
RFC8414 - Section 2