[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-08-19(UTC)"],[[["\u003cp\u003eThis content details how to revoke OAuth 2.0 access tokens in Apigee and Apigee hybrid by end user ID, application ID, or both, using the \u003ccode\u003eRevokeOAuthV2\u003c/code\u003e policy.\u003c/p\u003e\n"],["\u003cp\u003eBy default, OAuth 2.0 access tokens generated by Apigee do not include the end user ID, but this can be configured by using the \u003ccode\u003e<AppEndUser>\u003c/code\u003e tag within the OAuth 2.0 policy settings.\u003c/p\u003e\n"],["\u003cp\u003eTo revoke tokens by user ID, the OAuth 2.0 policy must first be configured to include the end user ID in the access token, which will be included in the \u003ccode\u003eapp_enduser\u003c/code\u003e field.\u003c/p\u003e\n"],["\u003cp\u003eRevoking an OAuth 2.0 token is not immediate due to caching, which means a revoked token might still work for up to three minutes (180 seconds) until the cache expires.\u003c/p\u003e\n"]]],[],null,["# Revoke OAuth 2.0 access tokens by end user ID, app id, or both\n\n*This page\napplies to **Apigee** and **Apigee hybrid**.*\n\n\n*View [Apigee Edge](https://docs.apigee.com/api-platform/get-started/what-apigee-edge) documentation.*\n\nYou can revoke OAuth 2.0 access tokens by end user ID, app ID, or both using the\n[RevokeOAuthV2](/apigee/docs/api-platform/reference/policies/revoke-oauth-v2-policy) policy.\nBy end user, we mean the user of the app that is calling the API.\n| **Warning:**OAuth tokens are cached for three minutes (180 seconds); therefore, a revoked token may still succeed for up to three minutes, until its cache limit expires.\n\nWhen to store the user ID in an access token\n--------------------------------------------\n\nUser IDs are not included in access tokens by default. Sometimes, it is useful to store\nthe user ID in an access token. For example:\n\n- A feature for your website or app where users can see which third-party apps they have authorized, and to provide an option to revoke access to those apps.\n- A feature that allows an authorized user to revoke all access tokens associated with a specific Developer App.\n\nAbout OAuth access tokens\n-------------------------\n\nBy default, when Apigee generates an OAuth 2.0 access token, the token has the format shown\nbelow: \n\n```transact-sql\n{\n \"issued_at\" : \"1421847736581\",\n \"application_name\" : \"a68d01f8-b15c-4be3-b800-ceae8c456f5a\",\n \"scope\" : \"READ\",\n \"status\" : \"approved\",\n \"api_product_list\" : \"[PremiumWeatherAPI]\",\n \"expires_in\" : \"3599\", //--in seconds\n \"developer.email\" : \"tesla@weathersample.com\",\n \"organization_id\" : \"0\",\n \"token_type\" : \"BearerToken\",\n \"client_id\" : \"k3nJyFJIA3p62DWOkLO6OJNi87GYXFmP\",\n \"access_token\" : \"7S22UqXGJDTuUADGzJzjXzXSaGJL\",\n \"organization_name\" : \"myorg\",\n \"refresh_token_expires_in\" : \"0\", //--in seconds\n \"refresh_count\" : \"0\"\n}\n```\n\nNote the following:\n\n- The application_name field contains the UUID of the app associated with the token. If you enable revocation of OAuth 2.0 access tokens by app ID, then this is the app ID you use.\n- The access_token field contains the OAuth 2.0 access token value.\n- There is no field for end user ID in the default OAuth access token.\n\nTo revoke OAuth 2.0 access tokens by end user ID, you have to configure the OAuth 2.0 policy\nto include the user ID in the token. After you configure the policy to include the end user\nID in the token, it is included as the `app_enduser` field, as shown below: \n\n```transact-sql\n{\n \"issued_at\" : \"1421847736581\",\n \"application_name\" : \"a68d01f8-b15c-4be3-b800-ceae8c456f5a\",\n \"scope\" : \"READ\",\n \"app_enduser\" : \"6ZG094fgnjNf02EK\",\n \"status\" : \"approved\",\n \"api_product_list\" : \"[PremiumWeatherAPI]\",\n \"expires_in\" : \"3599\", //--in seconds\n \"developer.email\" : \"tesla@weathersample.com\",\n \"organization_id\" : \"0\",\n \"token_type\" : \"BearerToken\",\n \"client_id\" : \"k3nJyFJIA3p62DWOkLO6OJNi87GYXFmP\",\n \"access_token\" : \"7S22UqXGJDTuUADGzJzjXzXSaGJL\",\n \"organization_name\" : \"myorg\",\n \"refresh_token_expires_in\" : \"0\", //--in seconds\n \"refresh_count\" : \"0\"\n}\n```\n\nConfiguring the policies\n------------------------\n\nTo revoke tokens by user ID, you must first configure the OAuth 2.0 policy to add the user ID to the access\ntoken. By including end user IDs in access tokens, you will then be able to revoke tokens by end user ID.\n\nTo configure the policy to include an end user ID in an access token, you must specify the\ninput variable that contains the end user ID. Use the `\u003cAppEndUser\u003e` tag to specify the\nvariable: \n\n```carbon\n\u003cOAuthV2 async=\"false\" continueOnError=\"false\" enabled=\"true\" name=\"GenerateAccessTokenClient\"\u003e\n \u003cDisplayName\u003eOAuth 2.0.0 1\u003c/DisplayName\u003e\n \u003cExternalAuthorization\u003efalse\u003c/ExternalAuthorization\u003e\n \u003cOperation\u003eGenerateAccessToken\u003c/Operation\u003e\n \u003cSupportedGrantTypes\u003e\n \u003cGrantType\u003eclient_credentials\u003c/GrantType\u003e\n \u003c/SupportedGrantTypes\u003e\n \u003cGenerateResponse enabled=\"true\"/\u003e\n \u003cGrantType\u003erequest.queryparam.grant_type\u003c/GrantType\u003e\n \u003cAppEndUser\u003erequest.header.appuserID\u003c/AppEndUser\u003e\n \u003cExpiresIn\u003e960000\u003c/ExpiresIn\u003e\n\u003c/OAuthV2\u003e\n```\n\n\nHere is an example `RevokeOAuthV2` policy configured to revoke access by `EndUserId`: \n\n```text\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?\u003e\n\u003cRevokeOAuthV2 continueOnError=\"false\" enabled=\"true\" name=\"GetOAuthV2Info-1\"\u003e\n \u003cDisplayName\u003eGet OAuth v2.0 Info 1\u003c/DisplayName\u003e\n \u003cEndUserId ref=\"request.header.appuserID\"\u003e\u003c/EndUserId\u003e\n \u003cCascade\u003efalse\u003c/Cascade\u003e\n\u003c/RevokeOAuthV2\u003e\n```\n\n\nSee also\n[Revoke OAuth V2 policy](/apigee/docs/api-platform/reference/policies/revoke-oauth-v2-policy#developer-app-id).\n\nThe following example command generates a token and passes the user ID in `appuserID` header: \n\n```\ncurl -H \"appuserID:6ZG094fgnjNf02EK\" \\\n-H \"Content-Type: application/x-www-form-urlencoded\" \\\n -H \"Authorization: Basic c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ\" \\\n -X POST \"https://apitest.acme.com/oauth/token\" \\\n -d \"grant_type=client_credentials\"\n```\n\nYou can pass information as part of a request in other ways. For\nexample, as an alternative, you can:\n\n- Use a form parameter variable: request.formparam.appuserID\n- Use a flow variable providing the end user ID"]]
