Revoking offline token as the client


I know that active offline tokens can be revoked by either the user - trough the Account API, or the Admin - through the Admin REST API. What I would like to do, is to enable the client to revoke it's own active offline tokens. Assuming I have checked "Revoke Refresh Token", a particular offline token could be revoked when getting a new one. The problem is that I'm still getting an active new one. Also, a timeout-based approach won't really work in this scenario.


Is there an existing way to achieve this, or will I have to create a custom endpoint?

Keycloak has a regular OAuth 2.0 Token Revocation Endpoint.

A good nights sleep does wonders sometimes…

1 Like