Hi all, It’s only since recently that I’m sticking my nose deeper into the various OAUTH (draft) specifications. I also recently joined this mailing list. I have a question and I hope someone can help me.
I’ve been looking for a mechanism/endpoint/specification for token revocation. RFC7009 is aimed at token revocation by the client itself - logoff is the typical use case. What I’m looking for is a possibility for the enduser (resource owner) to revoke one of his tokens from a different client. Use cases for this would be: - suspection that password is compromised, so enduser wants to change his password and terminate all sessions on any device. For such devices to regain access, they would need the new password. - stolen/lost device; the enduser should be able to revoke specific access/refresh-tokesn that have been issued for the stolen/lost device. Any thoughts on this? Thanks in advance, Jaap Francke Product Manager iWelcome
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
