Menu
In Oauth or Openid Connect, let's say an attacker takes an access or refresh token and the browser or app's caches are cleaned. Can a user revoke an access or refresh token issued by an Identity Provider if their string is not explicitly known?
894
If your Token-Provider is at least an OAuth 2.0-Provider, it has to to implement the OAuth 2.0 Token Revocation.
The URL should be delivered by on OpenID Connect-Provider as "revocation_endpoint" in the /.well-known/openid-configuration.
70
answered Sep 17 '25 19:09
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
