Managing issued tokens granted by each user (obtaining a list of clients, and updating scopes and revoking permissions for a particular client)

Overview


This article describes examples on managing tokens issued by Authlete. Authorization server can obtain a list of clients, update scopes and revoke permissions by specifying a user.


Obtaining a list of clients which have been authorized by a user


/client/authorization/get/list API provides a list of clients which have been authorized a certain user (i.e. which have had tokens granted by the user). An example is as follows:

  • Request
GET /api/client/authorization/get/list/<subject>

GET /api/client/authorization/get/list?subject=<subject>

POST /api/client/authorization/get/list
                                                    application/x-www-form-urlencoded

POST /api/client/authorization/get/list
                                                    application/json

  • Request parameters
subject:   Unique user ID.  REQUIRED.
                                            start:     Start index of search results (inclusive). The default value is 0.
                                            end:       End index of search results (exclusive). The default value is 5. 
                                            developer: Unique Developer ID. The default value is null. 

  • Response (success)
200 OK

application/json

  • Response parameters (suceess)
start:      Start index of search results (inclusive). 
                                            end:        End index of search results (exclusive). 
                                            developer:  Unique developer ID.
                                            totalCount: The total number of clients that meet the conditions. 
                                            clients:    An array of clients. Format of the client information
                                                        is the same as ones in other responses of some APIs
                                                        e.g. /api/client/get/{clientId}.

  • Response (failure)
400 Bad Request, 403 Forbidden, 500 Internal Server Error etc.

application/json
                                              {
                                                       "resultCode": ...,
                                                       "resultMessage": ...
                                                     }


Updating authorization scopes for one of clients which have been authorized by a user


/client/authorization/update API allows authorization server to update scopes of tokens for a single client, which have been granted by a certain user. An example is as follows:

  • Request
POST /api/client/authorization/update/<clientId>
                                                    application/x-www-form-urlencoded

POST /api/client/authorization/update/<clientId>
                                                    application/json

  • Request paramaters
subject: Unique user ID. REQUIRED.

scopes: An array of new scopes. Optional. 
                                                    If a non-null value is given, the new scopes are set
                                                    to all existing access tokens. If an API call is made 
                                                    using "Content-Type: application/x-www-form-urlencoded",
                                                    scope names listed in this request parameter should be
                                                    delimited by spaces (after form encoding, spaces are
                                                    converted to '+'). 

  • Response
200 OK, 400 Bad Request, 403 Forbidden, 500 Internal Server Error etc.

application/json
                                              {
                                                      "resultCode": ...,
                                                      "resultMessage": ...
                                                    }



Revoking authorization for one of clients which have been authorized by a user


/client/authorization/delete API allows authorization server to revoke tokens by specifying both a client and a user. An example is as follows:

  • Request
DELETE /api/client/authorization/delete/<clientId>/<subject>

DELETE /api/client/authorization/delete/<clientId>?subject=<subject>

POST /api/client/authorization/delete/<clientId>
                                                    application/x-www-form-urlencoded

POST /api/client/authorization/delete/<clientId>
                                                    application/json

  • Request parameters
subject: Unique user ID. REQUIRED.

  • Response
200 OK, 400 Bad Request, 403 Forbidden, 500 Internal Server Error etc.

application/json
                                              {
                                                      "resultCode": ...,
                                                      "resultMessage": ...
                                                    }

How did we do with this article?