OAuth 2.0 Token Revocation
Draft of message to be sent after approval:
From: The IESG
To: IETF-Announce Cc: RFC Editor , oauth mailing list , oauth chair Subject: Protocol Action: 'OAuth 2.0 Token Revocation' to Proposed Standard (draft-ietf-oauth-revocation-11.txt) The IESG has approved the following document: - 'OAuth 2.0 Token Revocation' (draft-ietf-oauth-revocation-11.txt) as Proposed Standard This document is the product of the Web Authorization Protocol Working Group. The IESG contact persons are Stephen Farrell and Sean Turner. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-ietf-oauth-revocation/
Technical Summary The OAuth Token Revocation specification proposes an additional endpoint for OAuth authorization servers, which allows clients to notify the authorization server that a previously obtained refresh or access token is no longer needed. This allows the authorization server to cleanup security credentials. A revocation request will invalidate the actual token and, if applicable, other tokens based on the same authorization grant. Working Group Summary The document experienced no particular problems in the working group. Document Quality The document has been deployed by four companies, namely by Salesforce, Google, Deutsche Telekom, and MITRE. The working group reviewed and discussed the document extensively. There was a comment from the appsdir review that was not accepted. The reviewer (mnot) suggested a discovery mechanism was needed, but the wg are working on generic oauth discovery and not just for revocation and so decided not to make that change. Personnel Hannes Tschofenig is the document shepherd. The responsible area director is Stephen Farrell.