A scenario for justifying invalidateToken: - User visits AwesomeApp and wants to connect his Twitter account - AwesomeApp redirects to Twitter's OAuth flow - User fails to notice that someone else, UserX, is already logged in to Twitter in the current browser and clicks through - AwesomeApp detects (somehow, perhaps later) that the wrong Twitter user is connected. They can be a good citizen and revoke the token completely, then send the user back through a full OAuth flow that asks for username/password regardless of sign-in state.
Just my $0.02, Mike On Thu, Apr 8, 2010 at 12:06 PM, Josh Roesslein <jroessl...@gmail.com>wrote: > There is no API endpoint that I know of and don't think one should exist. > Users should not trust > thirdparties to self-revoke access to their accounts. Users should know how > to do it from twitter.com > via the connections page. It might be nice if we could generate a redirect > link to a page on twitter.com > where the user can then revoke the access (sort of like the authorization > page). > > Josh > > > On Wed, Apr 7, 2010 at 11:59 PM, Ryan Amos <amos.r...@gmail.com> wrote: > >> Is there anyway to send a request to revoke a token completely without >> requiring the user goto their connections page on twitter? >> >> >> We allow our users to revoke access via our application, but that only >> revokes it on our side. The application would still show up on their >> twitter.com connections page. >> >> Google has one by sending a request to: >> https://www.google.com/accounts/accounts/AuthSubRevokeToken >> >> >> -- >> To unsubscribe, reply using "remove me" as the subject. >> > >
