Session Revocation — Google Workspace
Session Revocation — Google Workspace
Challenge signs out Google Workspace users using the Admin SDK Directory API.
Credentials
Challenge stores a Google Admin SDK access token (Bearer). Typical setup:
- Create a Google Cloud project and enable the Admin SDK API.
- Create a service account and enable domain-wide delegation.
- In Google Workspace Admin, authorize the service account client ID with the scopes below.
- Use the service account to mint an access token for a super-admin or dedicated admin user impersonation target, then paste the token into Challenge (or automate refresh outside Challenge).
Configure under Integrations → Session Revocation → Google Workspace.
API calls Challenge makes
| Step | Method | Endpoint |
|---|---|---|
| Lookup | GET | https://admin.googleapis.com/admin/directory/v1/users/{userKey} |
| Revoke | POST | https://admin.googleapis.com/admin/directory/v1/users/{userKey}/signOut |
Least-privilege guidance
Authorize only:
| OAuth scope | Purpose |
|---|---|
https://www.googleapis.com/auth/admin.directory.user.readonly | User lookup |
https://www.googleapis.com/auth/admin.directory.user.security | signOut for a user |
See Directory API: users.signOut. Use a dedicated admin role in Workspace that can manage user security settings, not full super-admin, when your policy allows.
Username format
Use the user’s primary email address.
Troubleshooting
| Symptom | Check |
|---|---|
user_not_found | Email does not match Workspace directory |
http_403 | Domain-wide delegation scopes or admin role insufficient |