Not sure if I’m doing something wrong, but tokens don’t seem to be invalidated after revoking application access in the connections settings.
Steps to reproduce
- Set up an application
- Send user to authorize link with ‘user_read’ scope
- POST returned code to /oauth/token, save access_token
- Check access_token works by viewing /kraken/user?oauth_token=[token]
- Revoke access to application in connections settings for authorized user
- Repeat step 4. Results should roughly match.
I was thinking step 6 would have returned some sort of unauthorized result, but it seems to still return the same users info as it did before revoking access.
Also, repeating steps 2 to 6 allows all of the authorized tokens to work, even previous tokens after re-authorizing an application.