[Openid-specs-ab] Discovery and Revocation Endpoint (RFC 7009)

n-sakimura n-sakimura at nri.co.jp
Mon Apr 7 13:23:39 UTC 2014

So, the thinking was that Access Token revocation should be dealt within 

ID Token is supposed to be one time / short lived token so revocation 
was not so much of an issue.

Session on the other hand has longer lifetime and thus we have end-session.


(2014/04/07 20:30), Thomas Broyer wrote:
> Hi,
> There doesn't seem to be anything in OpenID Discovery related to the
> Revocation Endpoint as defined by RFC 7009.
> It looks to me like a standard sign-out mechanism in a RP would be to:
> 1. revoke all tokens for the user
> 2. invalidate the session (javax.servlet.http.HttpSession#invalidate(),
> PHP's session_destroy, or any similar mechanism; along with any other
> processing needed by the RP)
> 3. redirect to the end_session_endpoint
> Currenly, we can discover the end_session_endpoint, but not the token
> revocation endpoint.
> Is this a known limitation? Is it intentional?
> If not, should I open an issue?
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

Nat Sakimura (n-sakimura at nri.co.jp)
Nomura Research Institute, Ltd.
Tel:+81-3-6274-1412 Fax:+81-3-6274-1547

The information contained in this e-mail is confidential and intended 
for the named recipient(s) only.
If you are not an intended recipient of this e-mail, you are hereby 
notified that any review, dissemination, distribution or duplication of 
this message is strictly prohibited. If you have received this message 
in error, please notify the sender immediately and delete your copy from 
your system.

More information about the Openid-specs-ab mailing list