feat: Implement token revocation in STS client and add revoke() metho… by kdeniz-git · Pull Request #1849 · googleapis/google-auth-library-python
…d to ExternalAccountAuthorizedUser credentials * Add support for OAuth 2.0 token revocation to the STS client, aligning with the specification in RFC7009. * A new revoke_token method is introduced, which makes a POST request to a revocation endpoint. The underlying request handler has also been updated to correctly process successful but empty HTTP responses, as specified by the standard for revocation. * Building on the STS client's new capabilities, this change exposes a public revoke() method on the ExternalAccountAuthorizedUser credentials class. * This method encapsulates the logic for revoking the refresh token by calling the underlying STS client's revoke_token function. It simplifies the process for client applications, like gcloud, to revoke these specific credentials without needing to interact directly with the STS client. * Unit tests are included to verify successful revocation and to ensure appropriate errors are raised if required fields (like revoke_url) are missing.
requested review from
a team
…:kdeniz-git/google-auth-library-python into implement-token-revocation-in-sts-client
nbayati previously approved these changes Nov 5, 2025
…:kdeniz-git/google-auth-library-python into implement-token-revocation-in-sts-client
vchudnov-g added a commit that referenced this pull request
Dec 15, 2025
PR created by the Librarian CLI to initialize a release. Merging this PR will auto trigger a release. Librarian Version: v0.7.0 Language Image: us-central1-docker.pkg.dev/cloud-sdk-librarian-prod/images-prod/python-librarian-generator:latest <details><summary>google-auth: 2.44.0</summary> ## [2.44.0](v2.43.0...v2.44.0) (2025-12-12) ### Features * MDS connections use mTLS (#1856) ([0387bb9](0387bb95)) * support Python 3.14 (#1822) ([0f7097e](0f7097e7)) * add ecdsa p-384 support (#1872) ([39c381a](39c381a5)) * Add shlex to correctly parse executable commands with spaces (#1855) ([cf6fc3c](cf6fc3cc)) * Implement token revocation in STS client and add revoke() metho… (#1849) ([d563898](d5638986)) ### Bug Fixes * Add temporary patch to workload cert logic to accomodate Cloud Run mis-configuration (#1880) ([78de790](78de7907)) * Delegate workload cert and key default lookup to helper function (#1877) ([b0993c7](b0993c7e)) * Use public refresh method for source credentials in ImpersonatedCredentials (#1884) ([e0c3296](e0c3296f)) </details>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters