[Openid-specs-ab] Discovery and Revocation Endpoint (RFC 7009)

Thomas Broyer t.broyer at gmail.com
Mon Apr 7 12:30:57 UTC 2014


There doesn't seem to be anything in OpenID Discovery related to the
Revocation Endpoint as defined by RFC 7009.

It looks to me like a standard sign-out mechanism in a RP would be to:
1. revoke all tokens for the user
2. invalidate the session (javax.servlet.http.HttpSession#invalidate(),
PHP's session_destroy, or any similar mechanism; along with any other
processing needed by the RP)
3. redirect to the end_session_endpoint

Currenly, we can discover the end_session_endpoint, but not the token
revocation endpoint.

Is this a known limitation? Is it intentional?
If not, should I open an issue?

Thomas Broyer
/tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140407/34e1a580/attachment.html>

More information about the Openid-specs-ab mailing list