Hi, In the context of RFC 7009, I've a question regarding revocation of access tokens.
I've a scenario where the revocation of an access token may have different behaviors 1) Option 1 - just revoke the access token and not the refresh token. An example is when OAuth 2.0 is being used for authentication (using OpenID Connect) and we want to revoke the access token after a logout but keep the refresh token for offline access 2) Option 2 - revoke both the access token *and* the refresh token. Both behaviors are allowed by RFC 7009, however there isn't a way for both to be simultaneously available. My first thought was to add a custom parameter to the token revocation request to differentiate between these two cases. Does this make sense? Is there a better solution? I know that adding custom parameters breaks compatibility and should only be used as a last resort. Regards Pedro
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
