additionally, in oauth 2.0 we will have the ability to set expiration dates for tokens, so after a certain time periods, tokens could just automatically expire.
i rather not have an actual API that would expire a token as that seems like an interesting attack vector. On Mon, Apr 12, 2010 at 12:53 PM, Abraham Williams <[email protected]>wrote: > This seems like too much of an edge case for Twitter to spend resources on. > You can always include &force_login=true to always prompt the user > for credentials. > > Abraham > > On Thu, Apr 8, 2010 at 12:23, Mike Repass <[email protected]> wrote: > >> A scenario for justifying invalidateToken: >> >> - User visits AwesomeApp and wants to connect his Twitter account >> - AwesomeApp redirects to Twitter's OAuth flow >> - User fails to notice that someone else, UserX, is already logged in >> to Twitter in the current browser and clicks through >> - AwesomeApp detects (somehow, perhaps later) that the wrong Twitter >> user is connected. They can be a good citizen and revoke the token >> completely, then send the user back through a full OAuth flow that asks >> for >> username/password regardless of sign-in state. >> >> Just my $0.02, >> >> Mike >> >> On Thu, Apr 8, 2010 at 12:06 PM, Josh Roesslein <[email protected]>wrote: >> >>> There is no API endpoint that I know of and don't think one should exist. >>> Users should not trust >>> thirdparties to self-revoke access to their accounts. Users should know >>> how to do it from twitter.com >>> via the connections page. It might be nice if we could generate a >>> redirect link to a page on twitter.com >>> where the user can then revoke the access (sort of like the authorization >>> page). >>> >>> Josh >>> >>> >>> On Wed, Apr 7, 2010 at 11:59 PM, Ryan Amos <[email protected]> wrote: >>> >>>> Is there anyway to send a request to revoke a token completely without >>>> requiring the user goto their connections page on twitter? >>>> >>>> >>>> We allow our users to revoke access via our application, but that only >>>> revokes it on our side. The application would still show up on their >>>> twitter.com connections page. >>>> >>>> Google has one by sending a request to: >>>> https://www.google.com/accounts/accounts/AuthSubRevokeToken >>>> >>>> >>>> -- >>>> To unsubscribe, reply using "remove me" as the subject. >>>> >>> >>> >> > > > -- > Abraham Williams | Developer for hire | http://abrah.am > PoseurTech Labs | Projects | http://labs.poseurtech.com > This email is: [ ] shareable [x] ask first [ ] private. > -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
