Hi Craig,
thanks for your comment. The revocation endpoint uses the same authentication policy as the core spec. Confidential client must authenticate using their client secret (or any other credential). The end-user's credentials are not involved at all. regards, Torsten. Am 27.10.2011 08:10, schrieb Craig McClanahan: > As a substantive comment on the draft (I'm in favor of it being a working group item), it is not clear whether "Basic" is a required value on the "Authorization" header included in a revocation request. In some scenarios (particularly three legged), the client app will not possess the username and password of they end user -- it might only possess a currently valid access token. It would seem that including such a token should be a viable authentication mechanism. > Craig McClanahan > > On Fri, Sep 16, 2011 at 12:32 PM, Torsten Lodderstedt wrote: > >> Hi all, >> >> I just published a new revision of the token revocation draft. We added JSONP support (thanks to Marius) and aligned the text with draft 21 of the core spec. >> >> We would like to bring this draft forward as working group item (once the WG is ready). We think its relevance is illustrated by the fact that this draft (or its predecessor) has already been implemented by Google, Salesforce, and Deutsche Telekom. >> >> regards, >> Torsten. >> >> -------- Original-Nachricht -------- >> >> BETREFF: >> New Version Notification for draft-lodderstedt-oauth-revocation-03.txt >> >> DATUM: >> Fri, 16 Sep 2011 12:20:14 -0700 >> >> VON: >> internet-dra...@ietf.org [1] >> >> AN: >> tors...@lodderstedt.net [2] >> >> CC: >> sdro...@gmx.de [3], tors...@lodderstedt.net [4], mscurte...@google.com [5] >> >> A new version of I-D, draft-lodderstedt-oauth-revocation-03.txt has been successfully submitted by Torsten Lodderstedt and posted to the IETF repository. >> >> Filename: draft-lodderstedt-oauth-revocation >> Revision: 03 >> Title: Token Revocation >> Creation date: 2011-09-16 >> WG ID: Individual Submission >> Number of pages: 6 >> >> Abstract: >> This draft proposes an additional endpoint for OAuth authorization >> servers for revoking tokens. >> >> The IETF Secretariat >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org [6] >> https://www.ietf.org/mailman/listinfo/oauth [7] Links: ------ [1] mailto:internet-dra...@ietf.org [2] mailto:tors...@lodderstedt.net [3] mailto:sdro...@gmx.de [4] mailto:tors...@lodderstedt.net [5] mailto:mscurte...@google.com [6] mailto:OAuth@ietf.org [7] https://www.ietf.org/mailman/listinfo/oauth [8] mailto:tors...@lodderstedt.net
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
