Support revoking consent

For third party apps, we require app developers to implement subscriber initiated revoking of consent, so that they can easily deauthorize an application.

Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119open in new window.

Flow

A sequence diagram is included here.

The user MUST be able to prompt the third party application (app) to revoke all consents it has given to the app (i.e. clicking a button).
The app SHALL request a revoke consent magic link from Working Group Two ID (WGTWO ID), supplying a random, non-guessable stateopen in new window.
The app SHALL redirect the user to the given link, which opens a WGTWO ID webpage.
The user MAY confirm/cancel revoking consent (the user MAY also just close/leave the webpage).
The user is redirected back to the app, and the app MUST validate the state, and if valid MAY delete local user content (i.e. from a database) and wipe user sessions to reflect that the app no longer has access to the users' WGTWO data/APIs.

Redirect

The user will be redirected back to the given redirect URI after logout with the query parameter state with the given state value. A query parameter for error will be included in case of errors or the user cancelling the flow.

This endpoint requires authentication by an OAuth2 access token issued to your client using the client_credentials grant.

You also need to include a valid user access token.

This will return a 200 response with the redirect URI if successful. Otherwise a 400 response code will be given, with a json structure explaining the error.

Request

curl \
  --request POST \
  --header "Accept: application/json" \
  --header "Authorization: Bearer ${CLIENT_ACCESS_TOKEN}" \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --url https://id.wgtwo.com/ext-api/v0/auth/create-revoke-consent-magic-link \
  --data token="${USER_ACCESS_TOKEN}" \
  --data redirectTo="${REDIRECT_URI}" \
  --data state="${STATE}"

1
2
3
4
5
6
7
8
9

Name	Description
CLIENT_ACCESS_TOKEN	Access token from client credentials grant
USER_ACCESS_TOKEN	Access token for the user
REDIRECT_URI	URI where the user should be redirected to afterwards, must be added in developer portal
STATE	Opaque state that will be included in final redirect

Response

{
  "redirectTo": "https://id.wgtwo.com/revoke-consent?revoke_token=(...)",
  "error": null,
  "errorDescription": null,
  "errorHint": null
}

1
2
3
4
5
6

Flow chart

Flowchart

Reference

OAuth 2.0 Reference

# Support revoking consent

# Definitions

# Flow

# Redirect

# Generate a revoke consent magic link

# Request

# Response

# Flow chart

# Reference