Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Google OAuth2 application. Remove self from user authenticated applications

I know it may sound weird, but I would like my app to disconnect it self from the user.

Just like any google user may enter his settings and disconnect like described here: https://webapps.stackexchange.com/questions/5052/unauthenticate-google-oauth-connections

I would like my app to do this by itself. I found no information on that in the API docs, maybe someone have done this already.

I can't believe it's not possible to achieve. There should be some resource to remove any connections.

like image 766
Sergey Telshevsky Avatar asked Aug 03 '13 07:08

Sergey Telshevsky


People also ask

How do I retract Google OAuth token?

To revoke tokens by user ID, you must first configure the OAuth 2.0 policy to add the user ID to the access token. By including end user IDs in access tokens, you will then be able to revoke tokens by end user ID.

How do I remove Google OAuth?

Go to the Security section of your Google Account. Under “Third-party apps with account access,” select Manage third-party access. Select the app or service you want to remove. Select Remove Access.


1 Answers

It's very hard to find, but documented in the google api documentation.

Google:

https://developers.google.com/identity/protocols/OAuth2WebServer#tokenrevoke

An application can programmatically revoke its own access. This type of revocation is important in instances where a user unsubscribes or removes an application, in which an API request to remove the permissions granted to the application should be a part of the removal process.

To programmatically revoke a token, your application sends a request to https://accounts.google.com/o/oauth2/revoke and includes the token as a parameter:

curl https://accounts.google.com/o/oauth2/revoke?token={token}

The specified token can be an access token or a refresh token. If the token is an access token and it has a corresponding refresh token, the refresh token is also revoked.

If the revocation succeeds, the response's status code is 200. If an error occurs, the response's status code is 400 and the response also contains an error code.

Other Services:

  • Facebook: https://developers.facebook.com/docs/facebook-login/permissions/#revokelogin
  • Twitter: https://dev.twitter.com/docs/api/1.1/post/oauth2/invalidate_token
  • SE: http://api.stackexchange.com/docs/application-de-authenticate
  • Github: http://developer.github.com/v3/oauth/#delete-an-authorization

Twitter: It's not possible to tell if you can revoke all permissions with invalidate_token. Other options aren't available.

All services implementing OAuth 2.0 should provide one revoke possibility. Typically, it follows the google-pattern https://..../oauth2/revoke

like image 197
Dennis Fischer Avatar answered Oct 16 '22 11:10

Dennis Fischer