On 4/24/09 4:35 AM, Manish Pandit wrote: > A little off-topic, but I always wondered the lack of > "revoke_access_token" endpoint. If the victim were to find out that > his account has been compromised, what options does he have? Some > providers (I know I would) may provide the revoke_access_token > endpoint but shouldnt the spec kind of make it standard like the other > 3?
This should really remain OUTSIDE the scope of the OAuth spec. It should be strongly recommended that a SP provide a UI for managing authorized consumers, but that is not required to effect authorization between a consumer and SP. And no, I wouldn't trust a consumer to initiate the token revocation flow. Hahaha. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
