Back-Channel Session Revocation allows OAuth clients, such as PingAccess® , to query the revocation status of their sessions by sending HTTP GET requests to the session revocation endpoint on PingFederate at /pf-ws/rest/sessionMgmt/revokedSris.

To access the session revocation endpoint, a client must be granted access to the Session Revocation API. It must also authenticate with its client secret or client certificate and include in the request the session identifier, which can be obtained from the access token or the ID token.

Back-Channel Session Revocation also allows the clients to revoke sessions by sending HTTP POST requests to the same session revocation endpoint. This gives application developers the flexibility to revoke sessions based on the logic of their applications.

For each session added to the revocation list, PingFederate retains its revocation status for a configurable lifetime. Access control and authentication requirements to revoke sessions are identical to those to query for the revocation status.