Closed nbarbettini closed 7 years ago
Ping @edjiang - covers the scenario we were discussing.
Awesome! Will test tomorrow. Just reading through the framework spec now, though, and it seems like revoking via Auth header is not explicitly stated. I know there was some discussion about /oauth/revoke
for client auth...
Yeah, this should probably go up for discussion among the team.
Seems like the discussion was positive. I'll review tomorrow and get merged.
Ping @edjiang - dotnet is now passing this test, any hold up for getting it merged?
Sure, we should probably add a test for oauth/revoke though.
I kept hearing ideas for merging framework spec + client api proxying, but I don't think that's actually written anymore. Do you know if there's something that states how the proxy will work in the future?
Do you know if there's something that states how the proxy will work in the future?
AFAIK, not yet. Definitely needs to happen at some point though.
We test that tokens passed via cookies are revoked (deleted) on logout, but we don't test whether tokens passed via a Bearer header are revoked.