diff --git a/x-pack/docs/en/rest-api/security.asciidoc b/x-pack/docs/en/rest-api/security.asciidoc index 3ba582d5d78..ffc6c0baa3d 100644 --- a/x-pack/docs/en/rest-api/security.asciidoc +++ b/x-pack/docs/en/rest-api/security.asciidoc @@ -77,7 +77,6 @@ include::security/create-users.asciidoc[] include::security/delete-app-privileges.asciidoc[] include::security/delete-role-mappings.asciidoc[] include::security/delete-roles.asciidoc[] -include::security/delete-tokens.asciidoc[] include::security/delete-users.asciidoc[] include::security/disable-users.asciidoc[] include::security/enable-users.asciidoc[] @@ -87,4 +86,5 @@ include::security/get-roles.asciidoc[] include::security/get-tokens.asciidoc[] include::security/get-users.asciidoc[] include::security/has-privileges.asciidoc[] +include::security/invalidate-tokens.asciidoc[] include::security/ssl.asciidoc[] diff --git a/x-pack/docs/en/rest-api/security/get-tokens.asciidoc b/x-pack/docs/en/rest-api/security/get-tokens.asciidoc index c80b4f60c6b..f0da5700b5a 100644 --- a/x-pack/docs/en/rest-api/security/get-tokens.asciidoc +++ b/x-pack/docs/en/rest-api/security/get-tokens.asciidoc @@ -29,7 +29,7 @@ period is defined by the `xpack.security.authc.token.timeout` setting. For more information, see <>. If you want to invalidate a token immediately, you can do so by using the -<>. +<>. ==== Request Body diff --git a/x-pack/docs/en/rest-api/security/delete-tokens.asciidoc b/x-pack/docs/en/rest-api/security/invalidate-tokens.asciidoc similarity index 53% rename from x-pack/docs/en/rest-api/security/delete-tokens.asciidoc rename to x-pack/docs/en/rest-api/security/invalidate-tokens.asciidoc index 7d6bae2a4c4..915fa7c45d8 100644 --- a/x-pack/docs/en/rest-api/security/delete-tokens.asciidoc +++ b/x-pack/docs/en/rest-api/security/invalidate-tokens.asciidoc @@ -1,8 +1,8 @@ [role="xpack"] [[security-api-invalidate-token]] -=== Delete token API +=== Invalidate token API -Invalidates a bearer token for access without requiring basic authentication. +Invalidates an access token or a refresh token. ==== Request @@ -10,22 +10,30 @@ Invalidates a bearer token for access without requiring basic authentication. ==== Description -The tokens returned by the <> have a +The access tokens returned by the <> have a finite period of time for which they are valid and after that time period, they can no longer be used. That time period is defined by the `xpack.security.authc.token.timeout` setting. For more information, see <>. -If you want to invalidate a token immediately, use this delete token API. +The refresh tokens returned by the <> are +only valid for 24 hours. They can also be used exactly once. + +If you want to invalidate an access or refresh token immediately, use this invalidate token API. ==== Request Body The following parameters can be specified in the body of a DELETE request and -pertain to deleting a token: +pertain to invalidating a token: -`token` (required):: -(string) An access token. +`token` (optional):: +(string) An access token. This parameter cannot be used when `refresh_token` is used. + +`refresh_token` (optional):: +(string) A refresh token. This parameter cannot be used when `token` is used. + +NOTE: One of `token` or `refresh_token` parameters is required. ==== Examples @@ -40,6 +48,17 @@ DELETE /_xpack/security/oauth2/token -------------------------------------------------- // NOTCONSOLE +whereas the following example invalidates the specified refresh token immediately: + +[source,js] +-------------------------------------------------- +DELETE /_xpack/security/oauth2/token +{ + "refresh_token" : "movUJjPGRRC0PQ7+NW0eag" +} +-------------------------------------------------- +// NOTCONSOLE + A successful call returns a JSON structure that indicates whether the token has already been invalidated.