POST /oauth/revoke - OAuth 2.0 Token Revocation (RFC 7009).

A client presents a credential it issued and asks the authorization server to invalidate it. This endpoint revokes the refresh credential: revoking one refresh token tears down its whole family (every token descended from the same authorization), via the configured Attesto.RefreshStore. Access tokens are stateless, short-lived JWTs with no server-side state to drop, so a hint pointing at one is honored as a no-op success rather than an error (RFC 7009 §2.2).

Client authentication (RFC 7009 §2.1, RFC 6749 §2.3)

The revocation endpoint requires the same client authentication as the token endpoint. A confidential client authenticates with client_secret_basic (HTTP Basic) or client_secret_post (form parameters). Authentication is fail-closed: a request that names a client but does not prove the secret is rejected invalid_client (HTTP 401, RFC 6749 §5.2), and a request that names no client at all is likewise rejected, since this endpoint serves confidential clients. The authenticated client_id is then threaded into revocation so one client cannot revoke another client's tokens (RFC 7009 §2.1).

Client lookup and secret comparison are delegated to the host through the :load_client and :verify_client_secret configuration callbacks; this controller owns no client registry.

No-existence oracle (RFC 7009 §2.2)

Once the client is authenticated, the response is always HTTP 200 with an empty body, whether or not the presented token existed, was expired, or was already revoked. A revocation endpoint must not let a caller probe which tokens are live. The only non-200 outcomes are a malformed request (invalid_request, missing the required token parameter) and failed client authentication (invalid_client).

Caching (RFC 6749 §5.1)

Every response carries Cache-Control: no-store and Pragma: no-cache, so an intermediary never caches a revocation result.

Configuration

Built on AttestoPhoenix.Config. The callbacks this controller reads:

• :load_client - resolve an OAuth client by client_id.
• :verify_client_secret - constant-time client-secret comparison.
• :on_event (optional) - audit/telemetry hook; receives a :token_revoked AttestoPhoenix.Event after a successful revocation request.

The configured AttestoPhoenix.Config is read from conn.private[:attesto_phoenix_config], placed there by the host's router pipeline. The Attesto.RefreshStore revocation runs over defaults to the package's Ecto-backed store; a host pipeline may override it by putting a module under conn.private[:attesto_phoenix_refresh_store].