How does a website revoke or disable OAuth access?
This may be a very stupid question, but I have no luck finding an answer, so I hope someone can help me here. :)
I have a website that authenticates a user via OAuth with their Google or LinkedIn accounts. I would like to offer them the option to "disable" OAuth as their login source (ie, stop using their Google or LinkedIn account as logins). Now I am just deleting the OAuth data from my db. This does not seem to be sufficient since the user is not prompted to allow access to my website the next time they try to "connect" the same account. It doesn't display this prompt:
I know that a user can revoke access on their side in their Google or LinkedIn account, but is there a way for me, on the website, to revoke access?
Thanks for any recommendations. :)
If that helps, I'll use a stone omniauth
.
source to share
Google provides a way to programmatically revoke the token here .
To revoke the token programmatically, your app makes a request https://accounts.google.com/o/oauth2/revoke and includes the token as a parameter:
curl https://accounts.google.com/o/oauth2/revoke?token= {token}
If this flow is still accurate, LinkedIn does not provide a way to do this.
There is currently no programmatic way to revoke an OAuth 2.0 access token.
If you want to double check that your token has been revoked before deleting it from the application database, you can try something like this:
- Ask the user to revoke the token from their settings page in each respective application
- Ask the user to confirm that they did it.
- Issue a harmless request (for example, get user profile information) and expect it to be unauthorized
- If the request is unauthorized, the token was successfully canceled and you can delete it from your database.
source to share