[Openid-specs-ab] Discovery and Revocation Endpoint (RFC 7009)
t.broyer at gmail.com
Mon Apr 7 12:30:57 UTC 2014
There doesn't seem to be anything in OpenID Discovery related to the
Revocation Endpoint as defined by RFC 7009.
It looks to me like a standard sign-out mechanism in a RP would be to:
1. revoke all tokens for the user
2. invalidate the session (javax.servlet.http.HttpSession#invalidate(),
PHP's session_destroy, or any similar mechanism; along with any other
processing needed by the RP)
3. redirect to the end_session_endpoint
Currenly, we can discover the end_session_endpoint, but not the token
Is this a known limitation? Is it intentional?
If not, should I open an issue?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab