Build a revoke flow
A revoke flow is a system flow that allows a builder the ability to revoke an OAuth 2.0 (or other token-based authentication) token.
A connector's revoke method is invoked when a connection is deleted from the platform, or when a user requests their data be deleted. This might be required, for example, to comply with the General Data Protection Regulation.
Revoke flows aren't displayed to the end user and are only used by the platform. The revoke flow has no Options or Input fields.
Not all OAuth services have a revoke endpoint.
To test a token revocation from the Test Connections page, you must first deploy a local connector to your org that contains an active revoke flow. You don't have to name the revoke flow as revoke.
Start this task
-
On the Flows tab, create a flow by clicking + New Flow in the upper right corner of the page.
-
At the far left of the page, click Revoke.
-
Click the Save button in the toolbar and name the flow.
-
In the flow description field, type Revoke an access token from the {your service} service. Select the Save all data that passes through the Flow option, and click Save.
-
Add an error handling If Error card as the first card in the flow.
-
Add the flow control Call Flow card inside the Try section of the card.
-
Click the Choose Flow button, and then select the httpHelper flow that you created previously. The card automatically populates with the inputs defined in the httpHelper flow.
-
Enter the relative URL for the revoke endpoint.
-
Enter the request method. This is most likely a POST operation.
-
Drag the auth object from the connector authping card to the Connection input field of the Call Flow card.
-
Enter any additional information required for the call in the query, headers, or body field. You may need to add an object Construct card before the Call Flow card to build out any necessary objects.
-
For the outputs on the Helper Flow card, define the same keys as on the httpHelper flow's outputs:
-
status_code, Number
-
headers, Object
body, Object
-
-
Add a flow control Assign card to the right of the Call Flow card that's inside the If Error function. Click Click or drop here to create and name the field message.
-
Manually add a success message in the new field. For example, The access token was successfully revoked.
-
Click the View Outputs link at the top right of the Error If card to expand the card's outputs section.
-
In the outputs section, click Click or drag to create and enter status_code. Two inputs appear that read Drag output here.
-
Drag the status_code output field from the Call Flow card into the top of the two inputs under the status_code field.
-
In the outputs section, click Click or drag to create, and then enter message.
-
Drag the message output field from the Assign card into the top of the two inputs under the message field.
-
Select the dropdown menu at the top of the If Error card, and then select If Error. This is where any service-specific error handling can be managed.
-
Depending on the service, you may need extra keys for the Error object in the left panel of the If Error card to pull the status code and error messages from the object returned by the service. To add keys, click Enter key name.
-
Drag these new keys into the corresponding outputs of the If Error card.
-
Add a branching Assign If card to the right of the If Error function card.
-
Drag the status_code field from the If Error card outputs into the value a field of the Assign If card. Make sure that the comparison is set to equal to.
-
In the value b field, enter the status code of a successful request. Usually, this value is 200.
-
Change the data type on the value if true field to True/False, and then set the value to True.
-
Change the data type on the value if false field to True/False, and then set the value to False.
-
Change the data type on the output field to True/False, and then change the name of the field to revoked.
-
Drag the revoked field from the Assign If card into the revoked input field on the Return card.
-
Add a Construct card to the end of the flow.
-
Click Click or drop here to create and add a label named unregisterURL.
-
Enter the URL where the user can go to manually remove access to the service. For example, https://www.spotify.com/us/account/apps/.
-
Click Click or drop here to create and add a label called text. This is the text shown to the end user if the token revocation fails for any reason. Enter a message in this field. For example, Unable to completely revoke access to Spotify. Visit your account page to manually remove access.
-
Rename the output of this Construct card as message, and then drag it into the message input field on the Return card.
-
Add a Construct card.
-
Click Click or drop here to create and add a label named statusCode.
-
Drag the status_code field from the If Error card outputs into the new statusCode field of the Construct card.
-
Add another input field to the Construct card and name it body.
-
Drag the message output field from the If Error card outputs into the body field on the Construct card.
-
On the object Construct card, rename the output field to serviceResponse.
-
Drag the serviceResponse output field from the Construct card into the serviceResponse field on the Return card.
-
Click Save and Run.