OAuth2 refresh token revocation

Question

Hi there,&nbsp;I'm a developer working with the AccountRight Live api (cloud-hosted company file). I've followed the instructions for the OAuth2 flow and have had no issues getting access/refresh tokens, renewing the access token, or calling the APIs. However, I have been trying to figure out how to use your API to revoke a refresh_token by POSTing to&nbsp;https://secure.myob.com/oauth2/v1/revoke.&nbsp;I&nbsp;am using the official RFC (https://tools.ietf.org/html/rfc7009)&nbsp;to make the request.POST&nbsp;https://secure.myob.com/oauth2/v1/revokeAuthorization: Basic {Base64Encode(clientId:clientSecret)}Content-Type:&nbsp;application/x-www-form-urlencodedtoken={REFRESH_TOKEN}&amp;token_type_hint=refresh_tokenUnfortunately, this OAuth2 endpoint is NOT documented in your official documentation and I can't figure out why it's returning:{
"error": "invalid_request"
}Is there an official way to revoke an access/refresh token when your app no longer needs to have access to a company file?&nbsp;The primary use-case is that from a security standpoint we'd like to delete the token in our system AND revoke it on your end. Also, it's very hard to test the OAuth2 user flows because after I've approved our application the first time I cannot revoke access to our application meaning the next time I initiate the OAuth2 flow it skips the step where the user can Approve or Cancel granting access.Alternatively, is there a way to remove access for the application from within AccountRight Live itself? Or from your web interface?Thanks in advance you for your time and consideration!

jacob_s · Accepted Answer

Hi&nbsp;Finagraph,&nbsp;Thanks for reaching out. To revoke access, you will need to log into secure.myob.com with the my.MYOB account that was used to authenticate and revoke the access. This process cannot be completed via the API or via the AccountRight program itself.&nbsp;&nbsp;Thanks,JacobMYOB API TeamAre you a developer? Check out http://developer.myob.comLooking for an Add-on? Check out http://myob.com/addons/MYOB API Support Centre - https://apisupport.myob.com

finagraph · Answer

That did work! For anyone else following along. If you manually navigate your browser to https://secure.myob.com you get the following webpage:&nbsp;&nbsp;It's kind of an obscure webpage considering I have absolutely no idea how to get to this page using any links from other pages on the your website. For example, when I login to https://my.myob.au I see:&nbsp;I tried exploring just about all of the menu options from this page before posing this question. It might be nice if there was a weblink or other way to navigate to view connected applications from this webpage/site. Anyway, THANK YOU!

triboss · Answer

From the customer's end - you could try this URL:https://secure.myob.com/oauth2/account/logoff

finagraph · Answer

No. That does NOT revoke the access or refresh token. I can still invoke the API for the user's company file even if the user is not logged in. Also, even when I restart the OAuth2 flow and am prompted to login again I am STILL not given an opportunity to Cancel the authorization, but instead am redirected back immediately to the callback endpoint without user confirmation after logging in. Thanks for your effort though.

Is there someone from the MYOB AccountRight Live team who can answer this?

Forum Discussion

OAuth2 refresh token revocation

4 Replies

Related content

Certificate Revocation

Revocation information for security certificate

Security Certificate issues - revocation / Payroll Reporting Declaration issues

Refresh on purchase register

Something went wrong. Please try again or refresh the browser.

MYOB in tray not refreshing

Packing Slip list Refresh/Filter

EOFY 2023 Finalisation Something went wrong. Please try again or refresh the browser.