[PP-1] Revoke refresh tokens

Created on 16 February 2018, over 6 years ago

Updated 18 January 2024, 5 months ago

Problem/Motivation

We need to revoke both access and refresh tokens from the resource servers in a generic way. One use case is to revoke tokens in the back-end when the user logs out in front-end.

Proposed resolution

Implement a solution that is compliant with the specification RFC 7009. The PHP library we are using already has an issue for token revocation with a pull request.

Remaining tasks

User interface changes

Implement the feature.
Provide functional testing

💬 Support request

Status

Needs work

Version

5.0

Component

Code

Created by

🇧🇾Belarus skorzh Belarus

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 12 months ago →
🇦🇺Australia realityloop
patch against 6.x
Comment 5 months ago →
🇺🇸United States mediabounds
If it's helpful to others, we recently updated the Simple OAuth Revoke → module which just adds the /oauth/revoke route as outlined by the RFC 7009.

(Note: The patch in this issue also adds an /oauth/logout endpoint; that's not part of the RFC 7009 spec so it's not in the Simple OAuth Revoke module.)

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024