Search code examples
node.jsreactjsgoogle-apigoogle-oauthaccess-token

How to revoke access token of google drive login using google oauth2?

I have google drive sign in feature in my react nodejs application. When ever a user clicks on sign in, I am using Google oauth2 to get code and that to get access token and refresh token using client ID and secret. I am saving these tokens and expiry in my database. Now, I want to revoke the token on logout. Below is the call I am making :

// token => storing refreshtoken
axios.post(`https://www.googleapis.com/oauth2/v3/revoke?token=${token}`, {
    })
    .then((response) => {
      console.log("response = ", response)
      log('INFO', 'Inside getNewToken done')
      return response
    }).catch((error) => {
      log('ERROR','Inside getNewToken, Error : ', error)
      return error
    })

It's showing "Request failed with status code 404". I also tried

https://oauth2.googleapis.com/revoke?token=${token}

This is showing "Request failed with status code 400" Where am I going wrong? The api to call is correct right

Solution

  • If you check googles discovery document openid-configuration

    You will find that the revoke endpoint should be

    "revocation_endpoint": "https://oauth2.googleapis.com/revoke",

    You are using

    https://www.googleapis.com/oauth2/v3/revoke

    Full disco doc responses

    {
 "issuer": "https://accounts.google.com",
 "authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
 "device_authorization_endpoint": "https://oauth2.googleapis.com/device/code",
 "token_endpoint": "https://oauth2.googleapis.com/token",
 "userinfo_endpoint": "https://openidconnect.googleapis.com/v1/userinfo",
 "revocation_endpoint": "https://oauth2.googleapis.com/revoke",
 "jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
 "response_types_supported": [
  "code",
  "token",
  "id_token",
  "code token",
  "code id_token",
  "token id_token",
  "code token id_token",
  "none"
 ],
 "subject_types_supported": [
  "public"
 ],
 "id_token_signing_alg_values_supported": [
  "RS256"
 ],
 "scopes_supported": [
  "openid",
  "email",
  "profile"
 ],
 "token_endpoint_auth_methods_supported": [
  "client_secret_post",
  "client_secret_basic"
 ],
 "claims_supported": [
  "aud",
  "email",
  "email_verified",
  "exp",
  "family_name",
  "given_name",
  "iat",
  "iss",
  "locale",
  "name",
  "picture",
  "sub"
 ],
 "code_challenge_methods_supported": [
  "plain",
  "S256"
 ],
 "grant_types_supported": [
  "authorization_code",
  "refresh_token",
  "urn:ietf:params:oauth:grant-type:device_code",
  "urn:ietf:params:oauth:grant-type:jwt-bearer"
 ]
}

    Remember that you can only revoke a token once so if it is revoked its going to give you an error if you try to revoke it again as it does not exist.