-
Notifications
You must be signed in to change notification settings - Fork 780
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Token revocation not following the OAuth 2.0 spec #1310
Comments
We'll need a lot more info here. How are you revoking them? What's happening? What are you expecting to happen? Please share some code. |
To revoke a token according to the spec, the client must
As far as I know, here's how the Passport API allows revoking of access tokens:
If it were spec-compliant which I was hoping for, it should look like this more or less:
|
This spec isn't in oauth server yet but is on the cards. Device code grant first, then this |
Gonna markt this as a feature request then and wait for oauth2 server to implement it first. Thanks @Sephster! |
I'm guessing thephpleague/oauth2-server#995 implements this. Closing this until OAuth2 has implemented support first. |
Hi! I'm trying to connect my password-grant client to my Passport-enabled server. For that, I use a client library that happens to strictly follow the 2.0 spec. Everything's doing well up until I try to revoke the access token. It seems it requires my authorization server to follow the standard on revoking tokens.
Does Passport have a way for dealing with this that I'm not aware of? I don't want to resort to monkey-patching the client or server for this as much as possible.
The text was updated successfully, but these errors were encountered: