Skip to content

feat: OAuth 2 token revocation (RFC 7009) #1508

New issue
New issue
Open
Open
feat: OAuth 2 token revocation (RFC 7009)#1508
Labels
help wanted
@YasharF

Description

@YasharF
YasharF
opened on Nov 11, 2025

Pre-requisites

  1. Hackathon Starter running locally
  2. HTTPS proxy configured (see Readme.md for ngrok/Cloudflare instructions)
  3. OAuth client keys obtained for at least two providers that support the RFC and two that do no. These are needed for manual testing which is required prior to the PR submission.

As of Nov 2025:

  • Providers known to support RFC 7009: Google, Microsoft, Twitch, Discord.
  • Providers that may not be supporting RFC 7009 (please verify): Facebook, GitHub, LinkedIn, QuickBooks, Steam, Trakt, Tumblr, X (Twitter)

Scope

  • When a user clicks "Unlink [provider]" on their account page:
    • If the provider supports RFC 7009, the app should POST to the revocation endpoint to revoke the access (and refresh) token.
  • When a user clicks "Delete Account" on their account page:
    • The app should do the above revocation for all linked providers that support RFC 7009.
  • There are no errors or integration breakage for providers that do not support RFC 7009.
  • [TBD: unit tests]

Manual verification

For each scenario below, verify:

  • You have cleared all user accounts and sessions from your DB prior to each test
  • No errors or functional breakage occur regardless of RFC 7009 support
  • The scenarios work for various combinations of providers that support or don't support the RFC
  • For providers that support RFC 7009, confirm in the provider’s privacy/3rd‑party access settings for your (test) user that the Hackathon Starter app is added when linked and removed when unlinked or deleted

Manual test scenarios:

  1. Create a local account using email. Go to /account and link, then unlink a provider at the bottom of the page.
  2. Create a local account using email. Go to /account, link a provider, then delete the account without unlinking the provider.
  3. Create a local account using email. Go to /account, link two or more providers, then delete the account without unlinking either provider.
  4. Create a new account using the "Sign in by" option on /login. Go to /account and delete the account.
  5. Create a new account using the "Sign in by" option on /login. Go to /account, link one or more other providers, and then delete the account without unlinking either provider.

Metadata

Metadata

Assignees

No one assigned

    Labels

    help wanted

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions