Revoking site access in OAuth 2.0 3LO flow

I am refering to Kown Issues: Site-scoped grants limitations of the OAuth 2.0 (3LO) apps documentation.

With site-scoped grants, an access token can have access to multiple sites. This means that an app can’t delete an access token to revoke access. For example, an access token could grant access to site A, then delete it to remove access. However, if the user grants the app access to site C later, the app will be issued with an access token with access to sites A and B. The only way access can be removed is for the user to revoke access via the Connect apps tab in their account settings at https://{subdomain}.atlassian.net/people/{account_id}/settings/apps.

At least for me this isn’t working, the constructed URL redirects

https://{subdomain}.atlassian.net/people/{account_id}

The only way to revoke access is via

https://id.atlassian.com/manage-profile/apps

which revokes the complete access but not for single sites.

Can anyone point me into the right direction?

1 Like