Managing issued tokens granted by each user (obtaining a list of clients, and updating scopes and revoking permissions for a particular client)

Overview


This article describes examples on managing tokens issued by Authlete. Authorization server can obtain a list of clients, update scopes and revoke permissions by specifying a user.


Obtaining a list of clients which have been authorized by a user


/client/authorization/get/list API provides a list of clients which have been authorized a certain user (i.e. which have had tokens granted by the user). An example is as follows:

  • Request
GET /api/client/authorization/get/list/<subject>

GET /api/client/authorization/get/list?subject=<subject>

POST /api/client/authorization/get/list
                                                                              application/x-www-form-urlencoded

POST /api/client/authorization/get/list
                                                                              application/json

  • Request parameters
subject:   Unique user ID.  REQUIRED.
                                                                      start:     Start index of search results (inclusive). The default value is 0.
                                                                      end:       End index of search results (exclusive). The default value is 5. 
                                                                      developer: Unique Developer ID. The default value is null. 

  • Response (success)
200 OK

application/json

  • Response parameters (suceess)
start:      Start index of search results (inclusive). 
                                                                      end:        End index of search results (exclusive). 
                                                                      developer:  Unique developer ID.
                                                                      totalCount: The total number of clients that meet the conditions. 
                                                                      clients:    An array of clients. Format of the client information
                                                                                  is the same as ones in other responses of some APIs
                                                                                  e.g. /api/client/get/{clientId}.

  • Response (failure)
400 Bad Request, 403 Forbidden, 500 Internal Server Error etc.

application/json
                                                                        {
                                                                                 "resultCode": ...,
                                                                                 "resultMessage": ...
                                                                               }


Updating authorization scopes for one of clients which have been authorized by a user


/client/authorization/update API allows authorization server to update scopes of tokens for a single client, which have been granted by a certain user. An example is as follows:

  • Request
POST /api/client/authorization/update/<clientId>
                                                                              application/x-www-form-urlencoded

POST /api/client/authorization/update/<clientId>
                                                                              application/json

  • Request paramaters
subject: Unique user ID. REQUIRED.

scopes: An array of new scopes. Optional. 
                                                                              If a non-null value is given, the new scopes are set
                                                                              to all existing access tokens. If an API call is made 
                                                                              using "Content-Type: application/x-www-form-urlencoded",
                                                                              scope names listed in this request parameter should be
                                                                              delimited by spaces (after form encoding, spaces are
                                                                              converted to '+'). 

  • Response
200 OK, 400 Bad Request, 403 Forbidden, 500 Internal Server Error etc.

application/json
                                                                        {
                                                                                "resultCode": ...,
                                                                                "resultMessage": ...
                                                                              }



Revoking authorization for one of clients which have been authorized by a user


/client/authorization/delete API allows authorization server to revoke tokens by specifying both a client and a user. An example is as follows:

  • Request
DELETE /api/client/authorization/delete/<clientId>/<subject>

DELETE /api/client/authorization/delete/<clientId>?subject=<subject>

POST /api/client/authorization/delete/<clientId>
                                                                              application/x-www-form-urlencoded

POST /api/client/authorization/delete/<clientId>
                                                                              application/json

  • Request parameters
subject: Unique user ID. REQUIRED.

  • Response
200 OK, 400 Bad Request, 403 Forbidden, 500 Internal Server Error etc.

application/json
                                                                        {
                                                                                "resultCode": ...,
                                                                                "resultMessage": ...
                                                                              }

How did we do with this article?