On Wed, May 31, 2017 at 12:01 PM Jaap Francke <jaap.fran...@iwelcome.com> wrote:
> Hi all, > > It’s only since recently that I’m sticking my nose deeper into the various > OAUTH (draft) specifications. > I also recently joined this mailing list. > I have a question and I hope someone can help me. > > I’ve been looking for a mechanism/endpoint/specification for token > revocation. > > RFC7009 is aimed at token revocation by the client itself - logoff is the > typical use case. > What I’m looking for is a possibility for the enduser (resource owner) to > revoke one of his tokens from a different client. > > Use cases for this would be: > - suspection that password is compromised, so enduser wants to change his > password and terminate all sessions on any device. For such devices to > regain access, they would need the new password. > - stolen/lost device; the enduser should be able to revoke specific > access/refresh-tokesn that have been issued for the stolen/lost device. > > Any thoughts on this? > That's outside the scope of OAuth I'm afraid. If the AS is the same as the one where the user does those actions, and then it's entirely internal (RFC6749/6750 define how clients are "notified" of it – their token is rejected with invalid_token error code). If the application allowing the user to do these actions is a special kind of client to the AS, then there'll likely be APIs it can use to list current tokens and authorization grants and allow to revoke them, or revoke all of them at once. In any case, it'd be a special API that either would require a specific scope (that you'd likely only grant to that client) or would allow access based on the client only (either using client credentials, or looking at the There might exist specifications for such APIs already, but I'm not aware of them (i.e. probably not from the OAuth WG)
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth