A scenario for justifying invalidateToken:

   - User visits AwesomeApp and wants to connect his Twitter account
   - AwesomeApp redirects to Twitter's OAuth flow
   - User fails to notice that someone else, UserX, is already logged in to
   Twitter in the current browser and clicks through
   - AwesomeApp detects (somehow, perhaps later) that the wrong Twitter user
   is connected. They can be a good citizen and revoke the token completely,
   then send the user back through a full OAuth flow that asks for
   username/password regardless of sign-in state.

Just my $0.02,


On Thu, Apr 8, 2010 at 12:06 PM, Josh Roesslein <jroessl...@gmail.com>wrote:

> There is no API endpoint that I know of and don't think one should exist.
> Users should not trust
> thirdparties to self-revoke access to their accounts. Users should know how
> to do it from twitter.com
> via the connections page. It might be nice if we could generate a redirect
> link to a page on twitter.com
> where the user can then revoke the access (sort of like the authorization
> page).
> Josh
> On Wed, Apr 7, 2010 at 11:59 PM, Ryan Amos <amos.r...@gmail.com> wrote:
>> Is there anyway to send a request to revoke a token completely without
>> requiring the user goto their connections page on twitter?
>> We allow our users to revoke access via our application, but that only
>> revokes it on our side.  The application would still show up on their
>> twitter.com connections page.
>> Google has one by sending a request to:
>> https://www.google.com/accounts/accounts/AuthSubRevokeToken
>> --
>> To unsubscribe, reply using "remove me" as the subject.

Reply via email to