Hi, In the context of RFC 7009, what should be the response status code if the request contains a *valid* token but associated with a different client?
Should we consider this token to be "invalid" and return a 200? However, the token can still remain valid (for a different client). The RFC states "...and then verifies whether the token was issued to the client making the revocation request. If this validation fails, the request is refused and the client is informed of the error by the authorization server as described below" However, it is not clear where is the "described below". With a 200 status code, an implementation does not have to check if the revocation failed due to a client mismatch or due to another reason (e.g. token does not exist). This may allow for a more efficient revocation procedure. Thanks Pedro
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
