What's the point in passing arbitrary other information that is already known by the AS and does not provide the level of security necessary to prevent abuse of the revocation endpoint?
On Thu, Sep 2, 2021, 01:12 Ash Narayanan <[email protected]> wrote: > Hi Thomas, > > The approach you've suggested sounds good. Passing just the client_id > along with the token and type (regardless of client type) would be > consistent with how refresh_token requests are structured. As long as the > new RFC obsoletes this one. > > Ash > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
