Hi,
Does Stytch provide any support to revoke an active application session when logging in via OAuth and revoking the token using the OAuth provider’s settings?
If so, would you be able to point me to the right documentation/pointers?
Thanks a lot
Hi Sami - thanks for posting!
revoke an active application session when logging in via OAuth and revoking the token using the OAuth provider’s settings?
Here, do you mean revoking a session/token with the Identity Provider itself (rather than a Stytch Session minted as a result of an OAuth flow)? For instance, revoking a Google session when logging in via Google OAuth?
If so, this isn’t possible today - during OAuth flows like this, Stytch acts as the Service Provider. Our API doesn’t offer the ability to affect sessions with the underlying Identity Provider; that will need to managed with the IdP itself.
Thanks. Yes, this is what I was wondering: if a token is revoked in the IdP itself.
Got it! Revoking a Stytch Session will not affect the session at the underlying IdP.
Happy to help answer any other questions that might come up about this as well!