Skip to content

[13.x] Support Token Revocation RFC7009 and Token Introspection RFC7662 #1858

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 4 commits into
base: 13.x
Choose a base branch
from
Draft

[13.x] Support Token Revocation RFC7009 and Token Introspection RFC7662 #1858

wants to merge 4 commits into from

Conversation

@hafezdivandari
Copy link
Contributor

@hafezdivandari hafezdivandari commented Sep 29, 2025
edited
Loading

Token Revocation

Token Revocation RFC7009

First, enable the token revocation by calling the Passport::enableTokenRevocation method in the boot method of your application's App\Providers\AppServiceProvider class:

Passport::enableTokenRevocation();

Then, the consuming application should make a POST request to your application's /oauth/revoke route:

Http::asForm()->post('https://laravel.test/oauth/revoke', [
    'client_id' => 'your-client-id',
    'client_secret' => 'your-client-secret', // Required for confidential clients only...
    'token' => 'your-token-here',            // Either an access token or a refresh token to revoke...
    'token_type_hint' => 'access_token',     // Optional, to help the server optimize the token lookup. 'access_token' or 'refresh_token'...
]);

This will return an empty 200 response.

Token Introspection

Token Introspection RFC7662

First, enable the token introspection by calling the Passport::enableTokenIntrospection method in the boot method of your application's App\Providers\AppServiceProvider class:

Passport::enableTokenIntrospection();

Then, the consuming application should make a POST request to your application's /oauth/introspect route:

Http::asForm()->post('https://laravel.test/oauth/introspect', [
    'client_id' => 'your-client-id',
    'client_secret' => 'your-client-secret', // Required for confidential clients only...
    'token' => 'your-token-here',            // Either an access token or a refresh token to introspect...
    'token_type_hint' => 'access_token',     // Optional, to help the server optimize the token lookup. 'access_token' or 'refresh_token'...
]);

This will return a JSON response containing active attribute that indicates whether or not the presented token is currently active.

@github-actions
Copy link

github-actions bot commented Sep 29, 2025

Thanks for submitting a PR!

Note that draft PR's are not reviewed. If you would like a review, please mark your pull request as ready for review in the GitHub user interface.

Pull requests that are abandoned in draft may be closed due to inactivity.

@hafezdivandari hafezdivandari mentioned this pull request Sep 29, 2025
Open
@hafezdivandari hafezdivandari mentioned this pull request Oct 15, 2025
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hafezdivandari