Hi Pedro, I'm not sure it will exactly answer everything for you but there was a thread awhile back that started with a very similar question: http://www.ietf.org/mail-archive/web/oauth/current/msg12430.html
On Wed, Jun 11, 2014 at 10:06 AM, Pedro Felix <[email protected]> wrote: > Hi, > > In the context of RFC 7009, what should be the response status code if the > request contains a *valid* token but associated with a different client? > > Should we consider this token to be "invalid" and return a 200? However, > the token can still remain valid (for a different client). > > The RFC states > > "...and then verifies whether the token > was issued to the client making the revocation request. If this > validation fails, the request is refused and the client is informed > of the error by the authorization server as described below" > > However, it is not clear where is the "described below". > > With a 200 status code, an implementation does not have to check if the > revocation failed due to a client mismatch or due to another reason (e.g. > token does not exist). This may allow for a more efficient revocation > procedure. > > Thanks > Pedro > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
