How does a website revoke/disconnect OAuth access?

Question

This might be a really dumb question, but I haven't had any luck finding an answer, so I'm hoping someone will help me out here. :)

I have a website that authenticates a user through OAuth with their Google or LinkedIn accounts. I'd like to offer them the option to "disconnect" that OAuth as a login source (i.e. stop using their Google or LinkedIn account as logins). What I do now is just delete OAuth data from my db. That doesn't seem sufficient as the user is not prompted to allow my website access the next time he tries "connect" the same account. It doesn't show this prompt:

I know that the user can revoke access on his side in his Google or LinkedIn account, but is there a way for me, the website, to revoke the access?

Thanks for any guidance. :)

If it helps, I'm using the omniauth gem.

Answer 1

Google provides a way to programmatically revoke a token here.

To programmatically revoke a token, your application makes a request to https://accounts.google.com/o/oauth2/revoke and includes the token as a parameter:

curl https://accounts.google.com/o/oauth2/revoke?token={token}

If this thread is still accurate, LinkedIn does not provide a way to do this.

There's no programmatic way to revoke an OAuth 2.0 access token at this time.

If you want to double check that your token has been revoked before removing it from your application's database, you may try something like this:

1. Ask the user to revoke the token from their settings page on each respective application
2. Have the user confirm that they've done so
3. Issue a harmless request (e.g. get user's profile information) and expect it to be unauthorized
4. If the request is unauthorized, the token has been successfully revoked, and you can remove it from your database