Components
This proposal is about the OAuth2 module of SteemConnect. To be more precise - about the https://steemconnect.com/api/oauth2/token/revoke endpoint.
Proposal
At the moment, there is no way to revoke refresh token via the https://steemconnect.com/api/oauth2/token/revoke endpoint.
Currently, this endpoint revokes the access token provided in the Authorization header. I believe it would be really useful for developers to be able to also revoke the refresh token.
Mockups / Examples
My proposal is to change the current behavior of the https://steemconnect.com/api/oauth2/token/revoke endpoint. Here is how it IMO could work:
The core concept is that not the access_token provided in the Authorization header is being revoked, but token provided in the request's body.
It would enable a developer to implement revoking both refresh token and access token using the same endpoint.
As you can see, the headers section would include:
- Content-Type: application/x-www-form-urlencoded
- Accept: application/json
- Authorization: <access_token>
and body:
- token, the access_token or refresh_token to revoke
- token_type_hint, there developer should specify the type of token (access_token or refresh_token) provided in the token field
In my opinion, if token_type_hint was refresh_token, SteemConnect should revoke both access token and refresh token.
If token_type_hint was access_token, SteemConnect should only revoke access token.
For more information check this paper:
Benefits
With revocable refresh token via the /api/oauth2/token/revoke endpoint, a developer would be able to delete all tokens of the user if one didn't need them anymore. My proposal would enable to use offline scope more safety.
Posted on Utopian.io - Rewarding Open Source Contributors