oidc-provider.revocation
RFC 7009 token revocation endpoint.
Provides handle-revocation-request for revoking access and refresh tokens. The endpoint always returns 200 on successful authentication, even for unknown tokens, to prevent token-scanning attacks per RFC 7009 §2.2.
handle-revocation-request
(handle-revocation-request params authorization-header client-store token-store)Processes an RFC 7009 token revocation request.
Authenticates the client via oidc-provider.token-endpoint/authenticate-client, validates the token parameter is present, and revokes the token from token-store. Returns :ok on success (including for unknown tokens per RFC 7009 §2.2). Throws ex-info with "invalid_request" when the token parameter is missing, or lets authentication exceptions propagate on credential failure.