/users/user/oauth2/applications
Invoke this Advanced Identity Cloud-specific endpoint to list the applications granted OAuth 2.0 access and to delete tokens for a specified client. This lets you manage the tokens granted to applications on behalf of a resource owner.
For example, you can revoke all tokens for a resource owner across all clients after a password change or a suspected account compromise. To do this:
-
Query the applications endpoint to list all clients with active tokens for the resource owner.
-
Delete the tokens for each client returned.
| This approach revokes all tokens held by each client for the specified resource owner. If you want to revoke a single known access token or refresh token, use the /oauth2/token/revoke endpoint instead. |
To call the endpoint, you must compose the path to the realm where the client is registered.
List clients with active tokens
This example lists all the OAuth 2.0 clients holding active tokens granted in the alpha realm for the resource owner, bjensen.
You must provide the SSO token of the tenant administrator or the resource owner as a header,
and include the _id of the resource owner (bjensen) in the URL:
$ curl --request GET \
--header "Accept-API-Version: resource=1.1" \
--header "<session-cookie-name>: Ua6fsH2vjgHqVY..." \
"https://<tenant-env-fqdn>/am/json/realms/root/realms/alpha/users/1dff18dc-ac57-4388-8127-dff309f80002/oauth2/applications?_queryFilter=true"On success, Advanced Identity Cloud returns an HTTP 200 code and a JSON object describing each OAuth 2.0 client that currently holds at least one active access or refresh token for the specified resource owner. For example:
{
"result": [
{
"_id": "myClient",
"_rev": "-1121350941",
"name": "My client name",
"scopes": {
"write": "write"
},
"expiryDateTime": "2027-04-23T16:40:55.000Z",
"logoUri": null
},
{
"_id": "anotherClient",
"_rev": "987654321",
"name": "Another client name",
"scopes": {
"read": "read",
"openid": "openid"
},
"expiryDateTime": null,
"logoUri": null
}
],
"resultCount": 2,
"pagedResultsCookie": null,
"totalPagedResultsPolicy": "NONE",
"totalPagedResults": -1,
"remainingPagedResults": -1
}| Field | Description |
|---|---|
|
The client ID of the OAuth 2.0 client that holds tokens on behalf of the resource owner. |
|
The display name of the client, if configured. Returns |
|
The scopes granted to this client by the resource owner, collected across all active access and refresh tokens for this resource owner and client. |
|
The expiry date of the longest-lived token held by this client for the resource owner. Returns |
|
The URI of the client’s logo, if configured. Returns |
Delete tokens for a client
The following example deletes all tokens held by the OAuth 2.0 client myClient granted in the
alpha realm by bjensen.
You must provide the SSO token of the tenant administrator or the resource owner as a header,
and include the _id of the resource owner (bjensen) and _id of the client (myClient) in the URL:
$ curl --request DELETE \
--header "Accept-API-Version: resource=1.1" \
--header "<session-cookie-name>: Ua6fsH2vjgHqVY..." \
"https://<tenant-env-fqdn>/am/json/realms/root/realms/alpha/users/1dff18dc-ac57-4388-8127-dff309f80002/oauth2/applications/myClient"On success, Advanced Identity Cloud returns an HTTP 200 code and a JSON object with information about the deleted tokens, such as the granted scopes and ID of the client. For example:
{
"_id": "myClient",
"_rev": "-1121350941",
"name": "My client name",
"scopes": {
"write": "write"
},
"expiryDateTime": "2027-04-23T16:40:55.000Z",
"logoUri": null
}Repeat this request for each client _id returned when you queried the applications endpoint to delete all tokens for the resource owner across all clients.