-
-
Notifications
You must be signed in to change notification settings - Fork 662
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
V51 revokation for OAuth tokens #2111
Comments
Sounds good to move 3.5.1 to the OAuth chapter. In #2040 @randomstuff suggests to have two requirements to address this:
I think this is good (perhaps change grant to consent?) and, if added, they replace 3.5.1. |
I don't think we can or need to require end-user access to the authorization server interface where they can revoke tokens. The user must have functionality and possibility to revoke given permissions, how this is technically achieved is out of ASVS scope. I used initial proposal and modified it a bit:
|
If we want to allow the user to revoke access tokens, it probably should not only be through interaction with the resource server. This is because the user might want to revoke access tokens because the user thinks the access tokens are being abused by the resource server which might compromised/malicious. Or maybe a malicious actor obtained the access from the authorization server and the resource server never had this token and cannot therefore revoke it. The user should probably have a way to revoke his access grants (maybe all of them) through interaction with the authorization server without going through the resource server. This might be achieved by revoking his credentials ("forgot my password") which could provide an option to revoke the user's grants. |
I think the current 3.5.1 is quite good with (not having) details saying how to achieve it, but just pointing out what must be done. |
Spin-off from #2040 (comment)
There is feedback for the proposal in #2040 (comment) to take into account.
We have requirements:
The requirement 3.5.1 is proposed to move to OAuth paragraph in #1917.
The requirement 3.5.7 is proposed to move to Access Control paragraph in #1917, also discussed in #2059
The text was updated successfully, but these errors were encountered: