Welcome to the Panopto Community

Please note: All new registrants to the Panopto Community Forum must be approved by a forum moderator or admin. As such, if you navigate to a feature that is members-only, you may receive an error page if your registration has not yet been approved. We apologize for any inconvenience and are approving new members as quickly as possible.

Document how to revoke OAuth access token

Scott GriffinScott Griffin Tyro
in API

In https://support.panopto.com/s/article/oauth2-for-services it states that "Refresh tokens must be kept secure and confidential by the client application but can be revoked if needed." Further down in the same doc it mentions in section 2.2.f. that "Refresh tokens can be revoked before they are used. In the case that a user or administrator revokes their refresh token and attempt to use it to get a new access token will fail. The user would need to log in again in order to get a new access token."

There does not appear to be any documentation though on the endpoint to use for revoking an OAuth access token programmatically in the forums or official support articles, and searching through Panopto's public GitHub the only plausible reference was archived 5 years ago in

https://github.com/Panopto/IdentityModel/blob/71a6704e726d65082165e4e0f1df4b53f2406b1a/docs/client/revocation.rst#L9

Can Panopto please provide additional documentation on how to revoke OAuth access tokens programmatically through the REST API? We always revoke OAuth tokens through our platform for other integrations we've connected to when a user removes the integration, and we'd like to do the same for our Panopto integration for security reasons. We want to proactively revoke the OAuth tokens rather than waiting for it to expire in certain cases.

Tagged:

Best Answer

  • Kevin BaumKevin Baum Panopto Employee
    Answer ✓

    Hi Scott,

    Thanks for pointing that out. I'll see what we can do to update our support articles to add a section on revoking tokens.

    Panopto supports all of the basic OAuth2 operations in our API Clients implementation, including the standard OAuth2 token revocation endpoint (https://demo.hosted.panopto.com/Panopto/oauth2/.well-known/openid-configuration). You can make a POST request to the OAuth2 revocation endpoint at https://[PanoptoServer]/Panopto/oauth2/connect/revocation. The authentication should be basic authentication, using the API Client ID and Client Secret as described in section 1.2 of our support article How to Get OAuth2 Access Tokens for Users.

    The POST body should have a content type of application/x-www-form-urlencoded and contain the following parameters:

    • token - The token value you are revoking
    • token_type_hint - "refresh_token" to revoke a refresh token.

    JWT Access Tokens cannot be revoked by this endpoint, as they are client-side only tokens, but should expire within an hour.

    Once you send the request to the revocation endpoint, the specified refresh token will fail to get a new access token.

    I hope that this helps. Please let me know if you have any other questions.

    Thanks,

    Kevin

Answers

  • Scott GriffinScott Griffin Tyro

    Great, thank you. This is exactly the documentation we were looking for on revoking OAuth tokens.

Sign In or Register to comment.