-
Notifications
You must be signed in to change notification settings - Fork 412
MSC4254: Usage of RFC7009 Token Revocation for Matrix client logout #4254
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 3 commits
ac1602f
797d26e
d78fa2a
9dff517
cd239ce
ef03a25
0536870
047beec
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -16,14 +16,17 @@ The discovery of the above metadata is out of scope for this MSC, and is current | |
|
||
### Token revocation | ||
|
||
When a user wants to log out from a client, the client should revoke either its access token or refresh token by making a POST request to the revocation endpoint as described in [RFC7009]. | ||
When a user wants to log out from a client, the client SHOULD revoke either its access token or refresh token by making a POST request to the revocation endpoint as described in [RFC7009]. | ||
|
||
The server must revoke both the access token and refresh token associated with the token provided in the request. | ||
The server MUST revoke both the access token and refresh token associated with the token provided in the request. | ||
|
||
The request includes: | ||
- The `token` parameter containing either the access token or refresh token to revoke | ||
- Optionally, the `token_type_hint` parameter, with either the `access_token` or `refresh_token` value. If provided, the server must use this value to determine which token to revoke | ||
- The `client_id` obtained during client registration | ||
The request includes the following parameters, encoded as `application/x-www-form-urlencoded`: | ||
|
||
- `token`: This parameter MUST contain either the access token or the refresh token to be revoked. | ||
- `token_type_hint`: This parameter is OPTIONAL, and if present, MUST have a value of either `access_token` or `refresh_token`. The server MAY use this value to optimize the token lookup process | ||
- `client_id`: The client identifier obtained during client registration. | ||
anoadragon453 marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
||
If the `client_id` is not provided, or does not match the client associated with the token, the server SHOULD still revoke the token. The server MAY also warn the user that one of their sessions may be compromised in this scenario. | ||
|
||
|
||
#### Sample flow | ||
|
||
|
@@ -61,9 +64,11 @@ HTTP/1.1 200 OK | |
|
||
### Handling errors | ||
|
||
The server may return an error response as defined in [RFC7009]. The client should handle these errors appropriately: | ||
The server may return an error response as defined in [RFC7009]. Note that RFC7009 mandates a [RFC6749 error response](https://datatracker.ietf.org/doc/html/rfc6749#section-5.2) rather than a Matrix standard error response. | ||
|
||
The client should handle these errors appropriately: | ||
|
||
- If the token is already revoked, the server returns a 200 OK response | ||
- If the token is already revoked or invalid, the server returns a 200 OK response | ||
- If the client is not authorized to revoke the token, the server returns a 401 Unauthorized response | ||
- For other errors, the server returns a 400 Bad Request response with error details | ||
|
||
|
Uh oh!
There was an error while loading. Please reload this page.