Jaap Francke
2017-05-31 10:01:36 UTC
Hi all,
Itâs only since recently that Iâm sticking my nose deeper into the various OAUTH (draft) specifications.
I also recently joined this mailing list.
I have a question and I hope someone can help me.
Iâve been looking for a mechanism/endpoint/specification for token revocation.
RFC7009 is aimed at token revocation by the client itself - logoff is the typical use case.
What Iâm looking for is a possibility for the enduser (resource owner) to revoke one of his tokens from a different client.
Use cases for this would be:
- suspection that password is compromised, so enduser wants to change his password and terminate all sessions on any device. For such devices to regain access, they would need the new password.
- stolen/lost device; the enduser should be able to revoke specific access/refresh-tokesn that have been issued for the stolen/lost device.
Any thoughts on this?
Thanks in advance,
Jaap Francke
Product Manager iWelcome
Itâs only since recently that Iâm sticking my nose deeper into the various OAUTH (draft) specifications.
I also recently joined this mailing list.
I have a question and I hope someone can help me.
Iâve been looking for a mechanism/endpoint/specification for token revocation.
RFC7009 is aimed at token revocation by the client itself - logoff is the typical use case.
What Iâm looking for is a possibility for the enduser (resource owner) to revoke one of his tokens from a different client.
Use cases for this would be:
- suspection that password is compromised, so enduser wants to change his password and terminate all sessions on any device. For such devices to regain access, they would need the new password.
- stolen/lost device; the enduser should be able to revoke specific access/refresh-tokesn that have been issued for the stolen/lost device.
Any thoughts on this?
Thanks in advance,
Jaap Francke
Product Manager iWelcome