sso-oauth:RevokeTokenWithIAM is a Write access-level action in the sso-oauth service. Grants permission to revoke OAuth 2.0 access tokens and refresh tokens, invalidating them before their normal expiration. This permission is used only by AWS managed applications and is not documented in the IAM Identity Center OIDC API Reference
ARNs that sso-oauth:RevokeTokenWithIAM can be scoped to in an IAM policy.
No condition keys are documented for this action.
To use sso-oauth:RevokeTokenWithIAM you may also need to grant:
A minimal policy that allows sso-oauth:RevokeTokenWithIAM. Replace "Resource": "*" with a specific ARN to follow least privilege.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSsooauthRevokeTokenWithIAM",
"Effect": "Allow",
"Action": "sso-oauth:RevokeTokenWithIAM",
"Resource": "*"
}
]
}