I am preparing this document to help who wants to invalidate oauth 2.0 access token and refresh. I came across such a requirement and found the clear documentation is not available and the some links are having the wrong information.

You will find a couple of management api calls that are specified to revoke the access token or refresh token. Here to note that "revoke" doesn't mean to invalidate.

You will find the token is revoked but working in real-time. This is where revoked refresh token can be used to get new access token and refresh token. That leads to continuous use of service even when you have revoked the tokens and though this process will stop here.

To invalidate the access token or refresh token or both you need to use the Token invalidation operation policy of Oauth 2.0. The policy will invalidate the token immediately and it will throw the error in the next request.

It needs to be remembered that the invalidate token policy api should be deployed to the same environment. The same organization different environment is not working also.

To invalidate the accesstoken only you need to use cascade attribute to false. To invalidate both access token and refresh token then use cascade to true.

The document has the option to use token type to refresh but that doesn't work as per the document when you try to invalidate the refresh token only. In that case, a simple workaround is there, you can use the refresh token so that it will get invalid for the next use.

Hope this will helkp you.