Add Doorkeeper token revocation endpoint
tniezg opened this issue · 1 comments
Is your feature request related to a problem? Please describe.
Calling the token revocation endpoint is necessary to deactivate all tokens owned by a user that's trying to log out of a website. Doing so improves the security of the website. The tokens are deactivated immediately instead of naturally after reaching their expiration period which for refresh tokens can take a long time and isn't standardised.
Describe the solution you'd like.
Add an auth endpoint to the SDK which calls Doorkeeper's token revoke endpoint included with Spree.
Describe alternatives you've considered.
Use tokens with a shorter expiration time. This is a highly variable setting and differs between websites. We can't assume that tokens will expire in a short time. It's often not a matter of security but the how tokens are used. Longer expiration times are sometimes needed.
Additional context
Auth0's JS library also expires tokens when logging out users.