- changed status to open
revoking offline_access refresh tokens
Issue #1475
resolved
As per Mike’s WGLC message, I noticed that:
https://openid.net/specs/openid-connect-backchannel-1_0-07.html#BCActions
contains the text:
NOTE: An open issue for the specification is whether to define an additional optional parameter in the logout token, probably as a value in the event-specific parameters JSON object, that explicitly signals that
offline_accessrefresh tokens are also to be revoked.
I presume that text should be altered/removed before going to final.
Comments (3)
-
-
https://openid.net/specs/openid-connect-backchannel-1_0-07.html#LogoutToken included this text
The Logout Token is compatible with the Security Event Token (SET) [RFC8417] specification.
these tokens have different values for the “typ“ header parameter, “secevent+jwt” and “logout+jwt“. This parameter is optional in both cases but if specified, they aren’t 100% compatible.
-
- changed status to resolved
- Log in to comment
Will be fixed by https://bitbucket.org/openid/connect/pull-requests/158/removed-note-about-revoking-offline_access