Review:
1. Since not stated I assume that the Revocation Endpoint can exist on a different server from the Authorization server (or is it assumed that they are 1), if so how is the Revocation Endpoint found? 2. Any token type that is supported can be revoked, including refresh token ? 3. Why does one have to send the token, can't this just be an auth_code ? 4. Says CORS SHOULD be supported, I think a MAY be better here since a site may have issues supporting CORS 5. Does not say but is the revocation to be immediate upon the return of the request ? 6. Does the revocation of the access token also revoke the refresh token (if it was provided) ? Or is this a revocation policy decision ? 7. Section 2 says "the client MUST NOT use this token again", well that seems odd, not sure this should be here as the client could try to use it gain, there is no need to put support in client to prevent this.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
