Implementation of rfc7009 (Token revocation endpoints)
SherinBloemendaal opened this issue · 3 comments
It would be very beneficial if we could implement https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 enabling clients to revoke their tokens. This is particularly useful for non-confidential clients, for instance, when logging out.
I've attempted to implement this, but the existing repositories only support revocation based on a identifier, not the token itself. While a client can determine the access token's identifier by decoding the JWT, the refresh token is hashed, so the client never knows its identifier.
I can work on a PR?
Good idea.
I can work on a PR?
Please yes 🙌
I think this would be better done in the core package. Can't recall if someone has submitted a PR for this or not though