On Wed, Jan 12, 2011 at 4:31 PM, Torsten Lodderstedt <[email protected]> wrote: > Am 12.01.2011 22:19, schrieb Richer, Justin P.: >> >> Yes, let the server do the work. In practice, it's going to be looking up >> the token based on the token value anyway (for bearer tokens, at least). All >> the client really cares about is asking to "revoke this token that I am >> sending you". If the client credentials and token are correct and >> verifiable, then the revoke should go through. > > What do others think?
I agree with Justin's suggestion, let the server figure the token type. The server should be able to do that anyhow. >> A client wanting to revoke both a request token and an access token will >> have to make several calls to this, unless you want to put in a way to put >> multiple token values in. I don't recommend that though, as it seems to me >> an optimization for a problem nobody has yet. > > the token_type does not control whether the server deletes all access tokens > associated with a refresh token. > > This depends on the authorization servers policy. There are cases when the server cannot revoke the access tokens associated with a refresh token (static access tokens for example). That being said, I think the server SHOULD revoke all access tokens if possible. Marius _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
