Hi Pedro,
can you please explain the rationale for choosing the mode dynamically?
regards,
Torsten.
Am 11.06.2014 18:20, schrieb Pedro Felix:
Hi,
In the context of RFC 7009, I've a question regarding revocation of
access tokens.
I've a scenario where the revocation of an access token may have
different behaviors
1) Option 1 - just revoke the access token and not the refresh token.
An example is when OAuth 2.0 is being used for authentication (using
OpenID Connect) and we want to revoke the access token after a logout
but keep the refresh token for offline access
2) Option 2 - revoke both the access token *and* the refresh token.
Both behaviors are allowed by RFC 7009, however there isn't a way for
both to be simultaneously available.
My first thought was to add a custom parameter to the token revocation
request to differentiate between these two cases. Does this make
sense? Is there a better solution?
I know that adding custom parameters breaks compatibility and should
only be used as a last resort.
Regards
Pedro
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth