Use case: a mobile client is authenticated with an access token and may also have a refresh token, now the user wan't to "log out", and have those tokens revoked.
At the moment we don't have an easy way to do this. The workaround would be to make a POST to the /logout endpoint, and supply the tokens as if they were the access_token and refresh_token cookies that the /logout endpoint expects.
I suggest that we implement the /oauth/revoke endpoint, as suggested by this RFC:
It specifies a singular token field for the body, with a token_type_hint field to give it a clue about access vs. refresh token. This feels pretty reasonable to me, it just means that the client has to make two requests if it has both types of tokens.
nbarbettini
commented
8 years ago
Use case: a mobile client is authenticated with an access token and may also have a refresh token, now the user wan't to "log out", and have those tokens revoked.
At the moment we don't have an easy way to do this. The workaround would be to make a POST to the /logout endpoint, and supply the tokens as if they were the
access_tokenandrefresh_tokencookies that the /logout endpoint expects.I suggest that we implement the
/oauth/revokeendpoint, as suggested by this RFC:https://tools.ietf.org/html/rfc7009
It specifies a singular
tokenfield for the body, with atoken_type_hintfield to give it a clue about access vs. refresh token. This feels pretty reasonable to me, it just means that the client has to make two requests if it has both types of tokens.