Could we perhaps be a little bit more specific on the relationship between DPoP and OAuth 2.0 Token Revocation (RFC 7009)?
I believe that if we constrain *some* token lifecycle events (issuance, refresh), we should constrain *all*, revocation included (please correct me if I'm wrong). There seem to be no direct attack vectors here, but indirect ones might be possible. For example, by revoking an exfiltrated refresh token, thus killing the session, the attacker could force the user to reauthenticate at the moment the attacker would be ready to steal credentials. Dmitry Backbase / Keycloak
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
