Support proposed standard for token revocation

[harleensahni]

Please add support for passport to revoke oauth2 tokens on the oauth2 authorization server. See http://tools.ietf.org/html/rfc7009

[jaredhanson]

That's outside the scope of Passport, which is authentication only. This functionality should be implemented by a different module.

[WilliamVenner]

@jaredhanson This is actually a security vulnerability! Compromised users logging out of applications should expect the attacker to no longer have access to the application, but this is not the case because of this decision: I don't think we should expect applications using Passport.js to implement token revocation for 500+ integrations, and similarly users of Passport.js do not expect to have to implement this themselves, and realistically speaking, nobody wants to do that if their application supports hundreds of integrations. Unfortunately this has lead to virtually all of the ecosystem of Passport.js users being vulnerable to this security issue, unless they decided to monkey patch in a blacklist of revoked tokens into their own databases.

Please reconsider this decision so that we can start addressing this issue ASAP. Applications using Passport.js should not need to worry about monkey patching this in themselves for the numerous integrations they choose. I think "authentication only" DOES include token revocation in its scope: when a user logs out, they should no longer be authenticated. Simply deleting a cookie does not exactly achieve that.

Of course implementing token revocation in Passport.js for 500+ integrations is no small task. It would make sense for us to gradually implement this, starting with the major integrations (Google, Facebook, Twitter, etc.), and people can open pull requests as needed. I can start with a Google one if you'd like?