Technical Summary
The OAuth Token Revocation specification proposes an additional
endpoint for OAuth authorization servers, which allows clients to
notify the authorization server that a previously obtained refresh
or access token is no longer needed. This allows the authorization
server to cleanup security credentials. A revocation request will
invalidate the actual token and, if applicable, other tokens based
on the same authorization grant.
Working Group Summary
The document experienced no particular problems in the working
group.
Document Quality
The document has been deployed by four companies, namely
by Salesforce, Google, Deutsche Telekom, and MITRE. The
working group reviewed and discussed the document extensively.
There was a comment from the appsdir review that was not
accepted. The reviewer (mnot) suggested a discovery
mechanism was needed, but the wg are working on
generic oauth discovery and not just for revocation and
so decided not to make that change.
Personnel
Hannes Tschofenig is the document shepherd.
The responsible area director is Stephen Farrell.