leastprivilege
commented
10 years ago The closest thing to that would be: http://tools.ietf.org/html/rfc7009
But yea - since OAuth2 is not about authentication, it also does not have the notion of an authentication session or signout.
I would like to extend AuthorizationServer with an endpoint that enables relying parties to signout. It will do a token revocation like Brock does here: https://github.com/brockallen/BrockAllen.MembershipReboot/blob/master/src/BrockAllen.MembershipReboot.WebHost/SamAuthenticationService.cs
Now for the real question: I would like it to do a callback chain to all previous relying parties, so that they can clean up of local cached token or whatever they may have of housekeeping to clear the session. This means that the server needs to keep track of token grants per client. It's a bit like the signout process of ws-federation. Does the OAuth2 spec include such a scenario, or am I on a slippery slope here?
Best, Per