The draft relies heavily on the definition "access grant", but no definition is provided in the draft or RFC 6749. It's been my interpretation that an "access grant" is the *fact* that a resource owner has authorized a client (potentially scoped) access to the protected resources. Once access is granted in this manner, further access tokens may be obtained without explicit permission by the end-user. That is, in the Protocol Flow there is no user input between steps A and B.
In "1. Introduction" it is stated: > A > revocation request will invalidate the actual token and, if > applicable, other tokens based on the same access grant and the > access grant itself. then, in "2. Token Revocation": > In the next step, the authorization server invalidates the token and > the respective access grant. If the particular token is a refresh > token and the authorization server supports the revocation of access > tokens, then the authorization server SHOULD also invalidate all > access tokens based on the same access grant This implies that an access grant only applies to an app authorized on a single device. If an app is installed on multiple devices and the access grant is shared between both instances, revoking device A's access token results in the unexpected revocation of device B's token. If "access grant" could be defined as "an authorization issued to the client, based on the single use of an Authorization Grant" it becomes clear than only the tokens spawning from the app's authorization on device A should be revoked. --- I spotted a typo in "3. Implementation Note": > Whether this is an viable option or > whether access token revocation is required should be decided based > on the service provider's risk analysis. "an viable option" should be "a viable option". On 24 Nov 2012, at 18:13, Hannes Tschofenig <hannes.tschofe...@gmx.net> wrote: > Hi all, > > this is a working group last call for draft-ietf-oauth-revocation-03 on > "Token Revocation". The draft is available here: > http://tools.ietf.org/html/draft-ietf-oauth-revocation-03 > > Please send you comments to the OAuth mailing list by December 10, 2012. > > Thanks, > Hannes & Derek > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Mark Wubben http://novemberborn.net http://twitter.com/novemberborn _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
