Add revoke_token endpoint for ai_workflows scope (!202774) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

This commit adds a new endpoint to be called from Duo Workflow Service to revoke oauth token after the Agent Platfrom session is completed.

References

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/555923

Screenshots or screen recordings

How to set up and validate locally

Disable ROPC in Rails Console

ApplicationSetting.first.update(ropc_without_client_credentials: false)

Create a ai_workflows scoped token

curl -XPOST http://gdk.test:3000/api/v4/ai/duo_workflows/direct_access\?private_token\=$GDK_TOKEN

Store the gitlab_rails.token in the response
Try to revoke it with /oauth/revoke endpoint

 curl POST --verbose \
    --header "Authorization: Bearer `gitlab_rails.token`" \
    --header 'Content-Type: application/json' \
    --data '{
        "token": "`gitlab_rails.token`"
    }' \
    http://gdk.test:3000/oauth/revoke

It should not revoke the token

Now use the new endpoint

curl POST --verbose \
    --header "Authorization: Bearer `gitlab_rails.token`" \
    --header 'Content-Type: application/json' \
    --data '{
        "token": "`gitlab_rails.token`"
    }' \
    http://gdk.test:3000/api/v4/ai/duo_workflows/revoke_token

It should revoke the token

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited Aug 27, 2025 by Halil Coban

Add revoke_token endpoint for ai_workflows scope

What does this MR do and why?

References

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports