Revoke-operation for oauth-tokens?

skonrad · January 10, 2017, 7:26pm

Hi everyone, I’m currently developing an app which uses the twitch api to update and display stream-information.

My app also allows the user to log-out. That’s where I only remove the token from the data-storage of the app.

As define within the OAuth2.0 definition, I’d also like to invalidate the token to be never usable again. I couldn’t find any information about such a route. So if the token get’s leaked by some reason, it can still be used (even if harm is intended!).

Is there any way to revoke the tokens access?

3ventic · January 10, 2017, 7:39pm

This is only possible via the user’s connection settings.

skonrad · January 10, 2017, 7:44pm

So this would be up to the user to revoke the full app its access, even when he might not know something got leaked.

Would be nice to have such a route to improve security though. Maybe in the future as it’s part of the OAuth2.0’s definition.

Thanks for the reply though.

system · February 9, 2017, 7:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.