> On Aug 15, 2023, at 11:40 AM, Rodrigo Speller
> wrote:
>
> So, during the flight, I reflected on Matthias' insistence: "What could we be
> missing?" Brilliantly, I think Matthias raised a very important and fixable
> point: “That the user MUST allow the connection on both sides on the clie
Hi Rodrigo,
I fully agree to all your points. You totally got my points and concerns
and as far as I understood your explanations, that's exactly what I was
pointing to as addition to the protocol instead of letting all further
protocols that my evolve in the future implement such validation f
Arguably the client can't revoke the token. It can request to revoke the
token and then the decision of whether it is revoked is only on the AS. A
client considering a token revoked has no merit on the value of the *active
*flag.
For full context, this is the section:
https://datatracker.ietf.org/
I don’t think it’s necessary to enumerate all of the possible parties that
could have had a hand in revoking the token — it have also been revoked by the
AS through some backend process or through administrative action. If a token is
revoked, it’s revoked — and the RS doesn’t generally care why
