/users/user/oauth2/applications
Invoke this AM-specific endpoint to list the applications granted OAuth 2.0 access and to delete tokens for a specified client. This lets you manage the tokens granted to applications on behalf of a resource owner.
For example, you can revoke all tokens for a resource owner across all clients after a password change or a suspected account compromise. To do this:
-
Query the applications endpoint to list all clients with active tokens for the resource owner.
-
Delete the tokens for each client returned.
| This approach revokes all tokens held by each client for the specified resource owner. If you want to revoke a single known access token or refresh token, use the /oauth2/token/revoke endpoint instead. |
To call the endpoint, you must compose the path to the realm where the client is registered.
|
Use the AM API explorer for detailed information about the parameters supported by this endpoint, and to test it against your deployed AM instance. In the AM admin UI, click the Help icon, and go to API Explorer > /users > /user > /oauth2 > /applications. |
List clients with active tokens
This example lists all the OAuth 2.0 clients holding active tokens granted in the alpha realm for the resource owner, bjensen.
You must provide the SSO token of an admin user or the resource owner as a header,
and include the name of the resource owner (bjensen) in the URL:
$ curl \
--request GET \
--header "Accept-API-Version: resource=1.1" \
--header "iPlanetDirectoryPro: Ua6fsH2vjgHqVY…" \
"https://am.example.com:8443/am/json/realms/root/realms/alpha/users/bjensen/oauth2/applications?_queryFilter=true"On success, AM returns an HTTP 200 code and a JSON object describing each OAuth 2.0 client that currently holds at least one active access or refresh token for the specified resource owner. For example:
{
"result": [
{
"_id": "myClient",
"_rev": "-1121350941",
"name": "My client name",
"scopes": {
"write": "write"
},
"expiryDateTime": "2027-04-23T16:40:55.000Z",
"logoUri": null
},
{
"_id": "anotherClient",
"_rev": "987654321",
"name": "Another client name",
"scopes": {
"read": "read",
"openid": "openid"
},
"expiryDateTime": null,
"logoUri": null
}
],
"resultCount": 2,
"pagedResultsCookie": null,
"totalPagedResultsPolicy": "NONE",
"totalPagedResults": -1,
"remainingPagedResults": -1
}| Field | Description |
|---|---|
|
The client ID of the OAuth 2.0 client that holds tokens on behalf of the resource owner. |
|
The display name of the client, if configured. Returns |
|
The scopes granted to this client by the resource owner, collected across all active access and refresh tokens for this resource owner and client. |
|
The expiry date of the longest-lived token held by this client for the resource owner. Returns |
|
The URI of the client’s logo, if configured. Returns |
Delete tokens for a client
The following example deletes all tokens held by the OAuth 2.0 client myClient granted in the
alpha realm by bjensen.
You must provide the SSO token of an admin user or the resource owner as a header,
and the username of the resource owner (bjensen) and the _id of the client (myClient) in the URL:
$ curl \
--request DELETE \
--header "Accept-API-Version: resource=1.1" \
--header "iPlanetDirectoryPro: Ua6fsH2vjgHqVY…" \
"https://am.example.com:8443/am/json/realms/root/realms/alpha/users/bjensen/oauth2/applications/myClient"On success, AM returns an HTTP 200 code and a JSON object with information about the deleted tokens, such as the granted scopes and ID of the client. For example:
{
"_id": "myClient",
"_rev": "-1121350941",
"name": "My client name",
"scopes": {
"write": "write"
},
"expiryDateTime": "2027-04-23T16:40:55.000Z",
"logoUri": null
}Repeat this request for each client _id returned when you queried the applications endpoint to delete all tokens for the resource owner across all clients.