[OAUTH-WG] token revocation from a different client

Jaap Francke <jaap.francke@iwelcome.com> Wed, 31 May 2017 10:01 UTC

Return-Path: <jaap.francke@iwelcome.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 04E5E12704B for <oauth@ietfa.amsl.com>; Wed, 31 May 2017 03:01:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.799
X-Spam-Status: No, score=0.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id WrZ-kkEqir53 for <oauth@ietfa.amsl.com>; Wed, 31 May 2017 03:01:40 -0700 (PDT)
Received: from SMTPGATE02.enterexchange.com (smtpgate02.enterexchange.com []) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 956F3127010 for <oauth@ietf.org>; Wed, 31 May 2017 03:01:39 -0700 (PDT)
From: Jaap Francke <jaap.francke@iwelcome.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: token revocation from a different client
Thread-Index: AQHS2fTk4vZSN1onGEKgAd94bEGeYQ==
Date: Wed, 31 May 2017 10:01:36 +0000
Message-ID: <612B4B7C-CE5B-4790-B4EA-0953885BB560@iwelcome.com>
Accept-Language: nl-NL, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/signed; boundary="Apple-Mail=_46E6ED3B-556D-4CF7-97D3-E122A35BC8AA"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/YWsLxEZ7QeRjZRdTXIqL-bvpMt4>
Subject: [OAUTH-WG] token revocation from a different client
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 May 2017 10:01:43 -0000

Hi all,

It’s only since recently that I’m sticking my nose deeper into the various OAUTH (draft) specifications.
I also recently joined this mailing list.
I have a question and I hope someone can help me.

I’ve been looking for a mechanism/endpoint/specification for token revocation.

RFC7009 is aimed at token revocation by the client itself - logoff is the typical use case.
What I’m looking for is a possibility for the enduser (resource owner) to revoke one of his tokens from a different client.

Use cases for this would be:
- suspection that password is compromised, so enduser wants to change his password and terminate all sessions on any device. For such devices to regain access, they would need the new password.
- stolen/lost device; the enduser should be able to revoke specific access/refresh-tokesn that have been issued for the stolen/lost device.

Any thoughts on this? 

Thanks in advance,

Jaap Francke
Product Manager iWelcome