Problem

Coder currently does not revoke users' oauth tokens when they unlink an account.
This is explicitly called out here:

RFC 7009 specifies a mechanism whereby OAuth authorization servers may expose an endpoint allowing immediate revocation of an access token or refresh token.

This is supported by the following external authentication providers:

• GitLab (https://docs.gitlab.com/ee/api/oauth2.html#revoke-a-token)
• Keycloak (https://www.keycloak.org/securing-apps/oidc-layers#_token_revocation_endpoint)

Unfortunately, this does not appear to be uniformly supported across providers.
It is currently not supported / unknown on these providers:

• BitBucket (https://jira.atlassian.com/browse/BCLOUD-22302)
• Entra ID (link TBD)

Some providers provide custom implementations not in line with the spec:

• GitHub (https://docs.github.com/en/rest/apps/oauth-applications?apiVersion=2022-11-28#delete-an-app-authorization)

Proposed Solution

When a user unlinks their account, coderd should attempt to revoke the token via the /revoke endpoint if configured.
The token revocation endpoint should be specified by CODER_EXTERNAL_AUTH_#_REVOKE_URL.
This will be done on a 'best effort' basis. If the authorization server returns any response other than 200, we should assume that the token revocation failed and advise the user to delete the token manually.