1

If a user wants to remove him/herself from our service, we delete all of their data from our database, including Oauth tokens. The Oauth tokens we have are secure and persistent. As part of best practice we would like to totally invalidate the tokens as if they want to their Google accounts page and removed it there. Reading the Oauth documentation it was not clear to me if this is possible because all of the examples pertained to single-session or non-secure cases (and excuse my lack of "What did you try?"-ism but I'm trying to get a quick plan together on how to do this).

So

1) is this possible? Preferably on 1.0?

2) how to do this?

djechlin
  • 59,258
  • 35
  • 162
  • 290

1 Answers1

6

Yes, you can revoke tokens programmatically as if the user revoked access in their accounts settings page.

For AuthSub and OAuth 1.0, use the AuthSubRevoke token endpoint by making an OAuth-signed request to:

https://www.google.com/accounts/AuthSubRevokeToken

For OAuth 2.0, use the revocation endpoint like:

https://accounts.google.com/o/oauth2/revoke?token={refresh_token}
Ryan Boyd
  • 2,978
  • 1
  • 21
  • 19