Use case: a mobile client is authenticated with an access token and may also have a refresh token, now the user wan't to "log out", and have those tokens revoked.
At the moment we don't have an easy way to do this. The workaround would be to make a POST to the /logout endpoint, and supply the tokens as if they were the access_token and refresh_token cookies that the /logout endpoint expects.
I suggest that we implement the /oauth/revoke endpoint, as suggested by this RFC:
It specifies a singular token field for the body, with a token_type_hint field to give it a clue about access vs. refresh token. This feels pretty reasonable to me, it just means that the client has to make two requests if it has both types of tokens.
Use case: a mobile client is authenticated with an access token and may also have a refresh token, now the user wan't to "log out", and have those tokens revoked.
At the moment we don't have an easy way to do this. The workaround would be to make a POST to the /logout endpoint, and supply the tokens as if they were the
access_token
andrefresh_token
cookies that the /logout endpoint expects.I suggest that we implement the
/oauth/revoke
endpoint, as suggested by this RFC:https://tools.ietf.org/html/rfc7009
It specifies a singular
token
field for the body, with atoken_type_hint
field to give it a clue about access vs. refresh token. This feels pretty reasonable to me, it just means that the client has to make two requests if it has both types of tokens.