FWIW, we return unauthorized_client. Le 31 janv. 2014 18:06, "Todd W Lainhart" <lainh...@us.ibm.com> a écrit :
> > ...what's the intended way that the "request is refused and the client > is informed of the error" when the the token was not issued to the client > making the revocation request? > > We return an error_code of "invalid_request" and an appropriate error > message. > > > > > > > > * Todd Lainhart Rational software IBM Corporation 550 King Street, > Littleton, MA 01460-1250* > > > * 1-978-899-4705 <1-978-899-4705> 2-276-4705 (T/L) lainh...@us.ibm.com > <lainh...@us.ibm.com>* > > > > > From: Brian Campbell <bcampb...@pingidentity.com> > To: oauth <oauth@ietf.org>, > Date: 01/31/2014 11:58 AM > Subject: [OAUTH-WG] Another question on RFC 7009 > Sent by: "OAuth" <oauth-boun...@ietf.org> > ------------------------------ > > > > Greetings WG, > > In section 2.1 of RFC 7009, it says: > > "The authorization server first validates the client credentials (in > case of a confidential client) and then verifies whether the token > was issued to the client making the revocation request. If this > validation fails, the request is refused and the client is informed > of the error by the authorization server as described below." > > The only error described below is "unsupported_token_type" which doesn't > seem appropriate here. The errors in > *http://tools.ietf.org/html/rfc6749#section-5.2*<http://tools.ietf.org/html/rfc6749#section-5.2>are > referenced too and, while "invalid_client" seems right for failed > client authentication, what's the intended way that the "request is refused > and the client is informed of the error" when the the token was not issued > to the client making the revocation request? None of the defined error > codes seem to fit. > > Furthermore, wouldn't it be better to go ahead and just revoke a token in > the case it's presented by the wrong client? I seem to recall some > discussion around this when 7009 was just a baby > draft-ietf-oauth-revocation and, while I don't recall the outcome, I was > surprised to look at the RFC again and see the text that is there. > > These questions came to me by way of a developer working on implementing > the RFC. I didn't have good answers, beyond the prognostication herein, so > I thought I'd take the questions to the WG list and the document authors. > > Thanks for any clarification, > Brian > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
