Hi Torsten,
Thanks for your insight. I agree, a sender constraint token, such as
when using certificate bound tokens from RFC 8705, cannot be used by
an attacker. It makes sense to only allow the owner to revoke them,
probably using the same mechanism as by which they are bound to the
client. For
Hi Emond,
I tend to agree with your assessment. Revoking bearer tokens without client
authentication seems to be better than leaving the attacker the option to use
them to invoke resources.
However, if the attacker cannot use the access tokens (e.g. because they are
sender constrained), the
Hi all,
We are currently implementing the token revocation endpoint (RFC 7009)
on our authorization server and do not understand why it requires
client authentication. When a party (a valid client or not) gets hold
of a valid access token in whatever way, the least damaging it could
do with it,
